BitDepthFeatured

Practical steps to reducing cybersecurity risks

4 Mins read

Above: Illustration by SergeyNivens/DepositPhotos

BitDepth#1471 for August 12, 2024

On Thursday, the Caribbean Chapter of the International Information System Security Certification Consortium (ISC2) hosted a webinar on third-party risk assessment.

If you aren’t a backroom cybersecurity professional working for a medium to large company or government agency, that’s probably worth explaining.

Third-party risk assessments are a validation of vendors who will connect to a computer network, examining their certifications, compliance with ISO standards, doing background checks, reviewing contracts and doing due diligence that the business meets or exceeds your internal standards for data management and processing.

The process, to be effective, must be ongoing and managed to ensure that vendors meet required standards.

This is a commonplace requirement for multinational corporations that have ironclad standards for compliance, but far less common outside of data sensitive businesses like banking and finance.

But the risks are the same for any business that outsources or extends its resource capacity by depending on third-party services from companies such as Google, Microsoft and Amazon Web Services (AWS) which provide a range of cloud based services, applications and storage solutions for business use.

Ensuring that standards are met even among smaller vendors is therefore a critical part of business security.

The subject is unsurprisingly on the front burner for cybersecurity professionals who have all, whether affected or not, looked on at the collapse of more than eight million Windows computers and some Microsoft cloud services when a tiny update from Crowdstrike went live and was automatically applied.

The Crowdstrike event is likely to be classified as an accumulation risk, a single point of failure that spread widely across a range of affected systems.

A different but related kind of risk for computer systems is concentration risk, when networks rely on a limited number of suppliers or a single supplier that may prove vulnerable through geography or a downstream vulnerability.

Ricardo Fraser

“If you use specific vendors for a large majority of these services that you execute in your organisation, that’s critical, because you are exposing your organisation by putting all the eggs in a single basket,” said Ricardo Fraser, vice-president of the ISC2.

“Risk management has to be holistic,” said David Gittens, a cybersecurity expert from Barbados.

“You can’t be selective, focusing on one area and not the next. It doesn’t make sense to emphasise third-party risk compliance, and you’re not monitoring what’s going on with them.”

So in an organisation who is responsible for risk management and compliance?
“Typically it comes down to the chief information officer (CIO) and the board,” said Jimmy McCollin an IT veteran from Barbados.
“The board should have skin in the game. The CIO must have the responsibility if something goes wrong, but the board also has a responsibility.”

“In many businesses, the C-Suite and the board, take responsibility for third-party risk management, but in the SME sector, they often don’t consider that a critical part of their operations”, said Scofield Thomas, managing director of 800TECH in TT.

“We’re noticing that local service providers are now being tasked with third-party risk questions to become compliant. They have to go through a process, and they don’t understand the concept behind it, so we must provide education on how they go about it. Getting your business ready is not just about having good products or having good services; it’s also about planning.”

“You have to consider that you are putting your company’s reputation in the vendor’s hands, and they have to be able to be a partner in delivering the services that you want to deliver.”

According to Collin Burgess, a Jamaican IT risk mitigator, third-party risk assessments are being done by medium and large organisations and those that are subject to regulatory requirements.

These companies store more data, process more personal information such as credit cards and run the risk of losing business if they are compromised.
But Burgess warns, there are many people who think that security is not important because it is not the core function of their business.

“For vendors, the benefit is the operational efficiency that it will add to your business,” said Thomas.

“It would seem a challenge and a task to adhere to some of these procedures and practices, but it brings a level of efficiency to your business and enhances your reputation, so it’s a win-win all around.”

Scofield Thomas

“Yes, it’s an investment. Yes, it takes some doing, but once you have those factors in, efficiency increases, your production will go up; your reputation will improve.”

“Perhaps a vendor deals with a large customer and they demand a third-party risk review, and they have no choice,” said Fraser.

“Caribbean vendors are not used to that, and they may not see it as economically feasible to meet required standards just for a single customer. But if you do it for one customer, you can use that assessment and that compliance certificate for other customers as well.”

Third-party risk assessment is necessary for successful relationships with external vendors, but the process is ongoing, subject to periodic review and must be both mandated and managed by C-Suite management and board level oversight. The process need not be driven by regulators, but there should be legal accountabilities.

The Caricom Secretariat announced a cyber-resilience project in March with a steering committee that’s gearing up for consultations and a rather distant target of 2030.

That seems a rather casual approach to the threats facing the Caribbean, which has become something of a hacker’s paradise over the last two years.

Jamaica’s Data Protection Act mandates compliance, but, notes Burgess, “There is no map to tell you how to create cybersecurity defences, threat intelligence and incident response.”

He compares that with the UK’s National Cybersecurity Center, which has an agency that works with private sector companies.

Regional governments and businesses should look to international cybersecurity standards and practices, which include third-party vendor assessments to harden their cybersecurity vulnerabilities and demonstrate support for a refreshed commitment to SME cybersecurity measures appropriate to their business profile.

What keeps regional cybersecurity experts awake at night

What keeps regional cybersecurity experts awake at night

Whether the attack comes from a successful external attempt, exploiting a vulnerability or from inside, perhaps a disgruntled employee, an exploit needs just one vulnerability.
Read More
Where hackers begin

Where hackers begin

Digital nation strategies have been released by 170 countries and regions and more than 60 countries have elevated AI in their national strategy.
Read More
Blue skies for microblogging?

Blue skies for microblogging?

Bluesky hit its current high of 23 million users faster than expected, but it’s way behind X.
Read More
The apps that thrive in Apple’s ecosystem

The apps that thrive in Apple’s ecosystem

By Apple's own yardstick an app that shares usable data across three devices is acceptable one that synchronises with four is a winner.
Read More
America’s open mic moment

America’s open mic moment

What made online pundits so effective in the US election?
Read More
The press and the president-elect

The press and the president-elect

Beyond the president-elect's often-expressed intent to retaliate against journalists he believes are unfairly attacking him is the agenda of Project 2025.
Read More
All washed up

All washed up

Dirt on its own will simply shake out of fabric. What keeps it in place is oil and grease, readily generated by human skin.
Read More
The state of Caribbean digital transformation

The state of Caribbean digital transformation

Despite 87 per cent believing that digital will disrupt their industry, 87 per cent acknowledged that they don't have the right leaders
Read More
The WordPress War

The WordPress War

WPEngine and the websites of its customers were blocked from the WordPress log-in system theme and plug-in updates and other background processes that enable a Wordpress website.
Read More
A budget of concrete and asphalt

A budget of concrete and asphalt

Four years after Hassel Bacchus took up the pioneering role of Digital Transformation Minister, the 2025 budget could not identify any completed transformation project that's positively affected citizens.
Read More
Arima’s first step toward becoming a smart city

Arima’s first step toward becoming a smart city

The public WiFi was officially activated on September 28 at the hospital, and it's fast. A local ping registered 250 megabits of download speed and 126 for upload.
Read More
Now hear this!

Now hear this!

Budget headsets will effectively dampen ambient sounds, but tend to be an all or nothing solution.
Read More
A taxing time for all

A taxing time for all

Tax collection began using the least customer-friendly interface imaginable, lines outside a government building.
Read More
Mobile devices, a war of increments

Mobile devices, a war of increments

Mixing and matching the two rival ecosystems is essentially impossible, so it's the utility of the products combined that makes the biggest difference.
Read More
Why cash is king in Trinidad and Tobago

Why cash is king in Trinidad and Tobago

In 2017, 16 per cent of users owned a credit card, a figure that dropped to 15 per cent by 2023.
Read More
I shopped at Temu!

I shopped at Temu!

Temu is great fun to explore and offers many bargains but product quality can be wildly variable.
Read More
What’s needed to make e-Governance happen?

What’s needed to make e-Governance happen?

“If we look at successful governments that have achieved a certain level in of success in these programs, some things stand out."
Read More
Changing the education conversation

Changing the education conversation

There are local schools that aspire to continuous improvement and others that struggle to make it through a working day without bloodshed.
Read More
Practical steps to reducing cybersecurity risks

Practical steps to reducing cybersecurity risks

The process, to be effective, must be ongoing and managed to ensure that vendors meet required standards.
Read More
The consequences of careless code

The consequences of careless code

The cruel reality of Crowdstrike is that it wasn't a cybersecurity attack. It was a quality of service lapse and the incident puts IT professionals in an odd space.
Read More
What keeps regional cybersecurity experts awake at night What keeps regional cybersecurity experts awake...
Where hackers begin Where hackers begin
Blue skies for microblogging? Blue skies for microblogging?
The apps that thrive in Apple’s ecosystem The apps that thrive in Apple’s...
America’s open mic moment America’s open mic moment
The press and the president-elect The press and the president-elect
All washed up All washed up
The state of Caribbean digital transformation The state of Caribbean digital transformation
The WordPress War The WordPress War
A budget of concrete and asphalt A budget of concrete and asphalt
Arima’s first step toward becoming a smart city Arima’s first step toward becoming a...
Now hear this! Now hear this!
A taxing time for all A taxing time for all
Mobile devices, a war of increments Mobile devices, a war of increments
Why cash is king in Trinidad and Tobago Why cash is king in Trinidad...
I shopped at Temu! I shopped at Temu!
What’s needed to make e-Governance happen? What’s needed to make e-Governance happen?
Changing the education conversation Changing the education conversation
Practical steps to reducing cybersecurity risks Practical steps to reducing cybersecurity risks
The consequences of careless code The consequences of careless code

🤞 Get connected!

A once weekly email notification of new stories on TechNewsTT. Just that. No spam.

Possible UI Glitch. Click top right corner to dismiss 👉

Get Connected!

A once weekly email notification of new stories on TechNewsTT.

Just that. No spam.

Related posts
BitDepthFeatured

What keeps regional cybersecurity experts awake at night

4 Mins read
Whether the attack comes from a successful external attempt, exploiting a vulnerability or from inside, perhaps a disgruntled employee, an exploit needs just one vulnerability.
BitDepthFeatured

Where hackers begin

3 Mins read
Digital nation strategies have been released by 170 countries and regions and more than 60 countries have elevated AI in their national strategy.
BitDepthFeatured

The apps that thrive in Apple's ecosystem

4 Mins read
By Apple’s own yardstick an app that shares usable data across three devices is acceptable one that synchronises with four is a winner.
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
trackback
4 months ago

[…] Caribbean – On Thursday, the Caribbean Chapter of the International Information System Security Certification Consortium (ISC2) hosted a webinar on third-party risk assessment… more […]

×
BitDepthFeatured

The consequences of careless code

1
0
Share your perspective in the comments!x
()
x