Cybersecurity risks are real. As demonstrated by recent security breaches, the threats can only increase, and exponentially, over the coming months and years. Be it in Singapore (Fullerton Health, October 2019), ANZ (Latitude, March 2023), Malaysia (Malaysian Airlines, March 2021), these security breaches are agnostic of industries affected, but do have one common factor. These recent security breaches occurred through the organisations’ third-party suppliers.
With the constraints faced by organisations, whether it’s budgets, resources, or time, there has been a growing reliance on third-party suppliers to enhance or augment business and operational processes, including technology solutions and services to third-party suppliers with minimal oversight of their security capabilities.
This adds to the fact that companies are paying premium for the available security talent today, an effect of persistent shortage of workers with knowledge in cybersecurity laws, modern IT environments, and newer security frameworks.
At the same time, global cyberattacks have exposed the weaknesses in outsourcing critical and sensitive information to third-party service providers.
Cybersecurity risks, a view from the top
Cybersecurity must be a priority at the executive leadership level with cybersecurity strategies in place, irrespective of industry group. As seen from recent trends of security breaches, there is no industry group spared. In APAC, there’s a growing recognition of the importance of cybersecurity resiliency and scalability, as well as the critical role of cybersecurity teams.
Fortunately, there are a growing number of companies in the region that are becoming increasingly aware of the importance of addressing cybersecurity threats. What they lack is a comprehensive security strategy that aligns to their business objectives and the skills to implement solutions that meets its risk tolerance and appetite levels.
Cybersecurity needs to be integrated into the organisational structure similar to any business functional unit, with reporting to the executive leadership for accountability. Only then, where the tone is set at the top and cascaded through the organisation, will cybersecurity awareness and the need to manage threats become inculcated throughout the organisation.
Cybersecurity resiliency, the need of the hour
In an era where an organisation’s crown jewels no longer are managed on-premise, it becomes pertinent to know where your data is, who has access to it, who is managing it, how well is it being protected, and the most crucial of questions would be: if there is a security breach, would you know about it earlier enough to take immediate actions in managing the impact on your organisation.
How resilient is your organisation? How prepared are you?
Cybersecurity resiliency is dependent on an organisation’s ability to prepare, anticipate, respond, and recover from a cybersecurity incident and be able to continue operations.
With reliance on third parties, the threats to an organisation’s crown jewels transcends beyond the organisation’s borders. The threat landscape permeates the organisational supply chain from upstream customers to downstream third- and fourth-party suppliers.
Hence, to ensure complete oversight of the organisational threats, an organisation would need to assess:
⦁ Its own security posture
⦁ The security posture of its third and fourth parties – where its third party outsource the organisation’s information to their third-party to manage
⦁ The security and assurance of information security share with its upstream customers
It is with this throughput view then can an organisation begin to have an oversight of its own digital resiliency in a constantly ever evolving threat landscape. This rapidly changing threat landscape requires organisations to quickly develop cybersecurity roadmaps to resiliency; keeping up with cybersecurity threats that could impact the organisation’s ability to operate its business and protect its brand, reputation and financials.
Managing Cybersecurity through risk lens
Organisations are today mostly faced with scarcity in and conflicting demand for budget, time and resources. To make the most of such scarcity and conflicts, a risk-based approach to cybersecurity would facilitate organisations in making more effective decisions as to where those scarce resources should be invested in.
Developing and implementing a risk management framework that is aligned to internationally acceptable standards, such as the ISO31000 for risk management, provides a structured approach towards managing cybersecurity risk.
These threats are even more apparent in supply chains that manifest in various forms, leading to severe reputational and financial losses. Some of the common malicious activities include:
- Unauthorised access leading to exposure, theft, or compromise of sensitive and critical data
- Phishing attacks that attempt to trick individuals into providing sensitive and critical data
- Malware infections that will disrupt, damage or gain unauthorised access to systems and networks or hijacking of networks and services using malware that are hard to detect and evict
- Password attacks through exploitation of weak or stolen passwords to gain unauthorised access to information, systems and networks
- Insider threats, whilst less thought about, is a real risk for the organisation where employees, with malicious intent or not, causes damage, compromise or loss of data
- DDoS Attacks that causes disruption of services
- Social engineering where individuals are coerced into divulging sensitive information that could cause the loss of data confidentiality, integrity and availability
- Unpatched software and vulnerabilities that weakens the organisation’s defences against potential cyberattacks
- Corruption of the security configuration of databases and cloud services, which can lead to data theft, manipulation, or even poisoning
- Hacking of products to impose ‘backdoors’ that can lead to data leakage, piracy, and the capture of sensitive data such as passwords or tokens
Such risks can be present in our organisation as much as it could in our third- and fourth-party environment.
Performing a risk assessment of our organisation as well as that of our third-parties is necessary to provide us with a complete oversight of how well we are protecting all critical and sensitive information entrusted to us by our clients and customers. It is important to constantly review the level of preparedness in the event of a cybersecurity breach, be it within our environment or at that of our third-party environment which house data owned by us.
Due Diligence and Supplier Risk Management
Prior to determining and selecting a supplier, it is always prudent to perform a due diligence on the third-party. The due diligence performed should cover not only cybersecurity requirements, but also financials, legal, competency and the like.
Once a supplier has been onboarded, the supplier should be reviewed regularly. Where the supplier processes and/or holds critical and sensitive information owned by the organisation, the review should be conducted at least once a year.
The review should help the organisation to:
- Gain an understanding of the third-party’s security posture and risk according to the level of risk the third-party pose to the organisation
- Assess its security governance and controls implemented, security certifications obtained (eg ISO27001, PCI DSS), data protection practices and incident response capabilities
- Determine the location where your organisation’s data resides in their systems and environment to understand if there could potentially be any concerns with data sovereignty
Such assessment not only provides the organisation with a good understanding of how the organisation’s data is protected by the third-party, it will also provide the organisation the avenue to require the third-party to apply standards at the level that at least matches expectations of the organisation.
How managed services augment your organisation’s capability in managing supply chain risk
A managed services provider (MSP) can use their extensive expertise to conduct a security posture of your organisation as well as that of your third-parties to determine the potential threats and risk your organisation faces.
The MSP can also facilitate in assessing risk and developing mitigating strategies that assist in reducing the level of risk to the risk acceptance level of the organisation.
Furthermore, they can help with developing:
- Security Awareness Program to inculcate security awareness through the organisation to promote security awareness across your staff and partners
- Digital Protection Measures to proactively monitor for potential breaches within your organisation and that of your third-party suppliers
- Incident Management Framework that includes Digital Forensics and Incident Response Plan, to enable early detection and expeditious response
- Business Continuity Management Framework that would enforce business impact assessment to be conducted to drive the organisations requirements for disaster recovery and business continuity plans
- Communications Strategy and Plan to manage response in the event of a disaster or a cybersecurity incident that could potentially impact its reputation and brand name
The organisation needs to ensure test plans are developed to test the organisation’s incident response, disaster recovery and business continuity plans. This will ensure that your plans will work when you need them to.
An experienced MSP can introduce the right resources and partnerships to ensure comprehensive cybersecurity, that brings together people, processes and technology.
Acknowledging that with the vast application of processes and technology that transcends beyond a typical organisational border to enable businesses in this complex age, protecting and securing critical and sensitive information can be a daunting challenge.
However, by partnering with an MSP, your organisation can leverage cutting-edge security frameworks and AI/ML-based tools to conduct security risk assessments throughout the extended supply chain, including third and fourth parties.
Find out how Lumen’s Supply Chain Risk Management service can help manage your supply chain cybersecurity risks.