Maksim Kabakou - Fotolia
Consistency is key to mitigate outsourcing risk
The modern-day abundance of platforms, apps and IT tools presents malicious actors with a web of interconnection that is easily exploited to move rapidly through the network to compromise critical assets. Security teams need to understand these attack pathways better in order to fight back
Technology is evolving at a faster pace than ever – and businesses need to keep up. No one company can cover all bases internally when it comes to putting in place the technology and resources you need to see your business thrive. So, with this in mind, firms of all sizes are increasingly relying on outsourced technology to grow and succeed.
However, this often opens up your business to the increased risk of cyber attacks due to the varying safety protocols of suppliers and the constant need for education when it comes to utilising these tools effectively, and, more importantly, safety when it comes to protecting your organisation’s data and information.
A clear and concise plan for mitigating risk is key. Not only that, but a consistent approach to cyber security must be put in place and adhered to across the board. This behaviour should encompass everyone you work with, your employees and supply chain, how you work and the technology you use.
Failure to put a consistent plan in place that encompasses all three of these areas could be critical, whether financially, reputationally or operationally.
Why people matter
The latest figures from the government’s Cyber security breaches survey 2022 illustrate the need for employee education when it comes to cyber security. The survey found that just under one in five businesses (17%) and charities (19%) provided training or awareness-raising sessions specifically for those not directly involved in cyber security.
The findings state that relevant training and awareness-raising sessions are more commonplace in larger organisations, with 61% of businesses and 64% of charities with an income of £5m saying they have offered this training in the past 12 months. However, in both micro/small businesses and charities with an income below £100,000, the figure dropped to just 16%.
The research reveals a monumental gap in the reality of education within businesses around cyber security and what is required to protect a business in the real world. With increasing reliance on outsourced technology to carry out business processes, the need for education can only increase. And this is true across all business areas, from accounting to procurement, marketing and everything in between.
A step-change is needed when it comes to staff usage of this technology where they consider cyber security as part of their everyday use of such tools. Consistently raising awareness of the risks posed by using outsourced technology and providing employees with the knowledge they need to navigate these challenges is key to keeping your business safe.
A huge part of educating employees is putting the processes in place initially for them to follow when it comes to procuring, installing and utilising new technology in the workplace. While this involves a not-insignificant amount of time and effort in the first instance, it could pay dividends in the future. Having a robust cyber security process framework in place for these matters is key to effectively protecting your business in the long run.
A well planned and consistently reviewed cyber security framework within a business will also regularly look to upgrade your existing security protocols and bring in new security layers if needed. This is increasingly important if you are relying more frequently on new apps, platforms or other forms of technology.
These frameworks will also help employees and potential partners understand where your security standards are set and how can they fit in with them. The frameworks should be well designed and frequently tested, under different situations, to ensure they are reliable. As mentioned, having this kind of process framework in place is not always an easy task, but the protection they could provide a business when it comes to cyber security is definitely worth the effort.
Choosing technology wisely
How carefully you select the technology you use to help you run your business, and its impact on your company’s cyber security, is intrinsically linked. Supply chains can vary in size and complexity and can involve many different technologies doing different things. Effectively securing the supply chain can be hard because vulnerabilities can be inherent or introduced and exploited at any point in the supply chain.
The Cyber security breaches survey 2022 also identify key areas of weakness when it comes to the selection of outsourced tech tools. Findings show that small, medium and large businesses outsource their IT and cyber security to an external supplier 58%, 55%, and 60% of the time, respectively. However, only 13% of businesses assess the risks posed by their immediate suppliers, with organisations saying cyber security is not an important factor in the procurement process.
Consistency is key here, too. Cyber security should be a prerequisite for business engagements. Having clear and unwavering requirements when it comes to a partner company’s approach to cyber security should be considered part of the procurement process. Consistent expectations as to your supply chain’s management of data and information can be put in place once and implemented with only minor adjustments, as required, moving forward.
The National Cyber Security Centre (NCSC) supports this notion and has laid out its 12 principles to help you establish effective control and oversight of your supply chain. This reiterates the need for consistency when it comes to your basic standards and requirements for outsourced tech.
Reliance on bought-in technology isn’t going away, for businesses of all sizes. In fact, in this tech-driven world, an increasing need to upscale, evolve and adapt quickly is only likely to increase our reliance on this kind of technology further. However, while the technology we require may be increasingly advanced, our approach to cyber security needs to be rooted in key basic principles that can then be adapted to suit the technology being implemented.
Consistency is key, and an unequivocal commitment to minimum security standards from everyone you work with is a must, both internally with your employees and externally when it comes to your supply chain. This, in partnership with an overarching commitment to consistently considering cyber security as part of everyday practices, education on this ethos and implementation of this at every level of your business is fundamental to protect your business from risks moving forward.
Read more from the May 2022 Security Think Tank series
- Solving for complexity in the network by Mike Lloyd of Redseal.
- Defenders must get out ahead of complexity by Jack Chapman of Egress.
- Identify, assess and monitor to understand attack paths by Rob McElvanney of PA Consulting.
- Understanding attack paths is a question of training by Mike Gillespie of Advent IM.
- Yes, zero trust can help you understand attack paths by Paul Holland of the ISF.
- To follow a path, you need a good map by Petra Wenham of the BCS.