Problems With Underperforming Cyber Security Service Providers
Problems Wth Underperforming Cyber Security Service Providers
Research Report: This article is exclusive to premium customers. For unrestricted website access please Subscribe: £5 monthly / £50 annual.
Cyber security breaches and attacks remain a very common threat to all organisations. And this problem often reflects the aspects of senior managers who often view cyber security as less of a priority in the current economic climate than it was in previous years. However, one of the common misconceptions about cyber security is that outsourcing IT can remove the cyber risk.
Whilst it may provide multiple advantages for your organisation, it is vital to carry out due diligence and to be aware of the risk of indirect cyber attacks where cyber criminals break into a supplier network and gain access to your organisation’s data. Indirect cyber-attacks of this nature have risen from 44% to 61% over the past few years.
Business Development
As business processes become more complex, companies are turning to third parties to boost their ability to provide critical services from cloud storage to data management to security. It’s often more efficient and less expensive to contract out work that would otherwise require significant effort and potentially drain in-house resources to those who can do it for you.
In fact, outsourcing has become an ubiquitous business process where organisations relinquish lower-value functions such as payroll or even parts of the value chain that are more central to their business processes.
With the main motive to outsourcing being cost reduction and specialised expertise at lower-value or peripheral functions, there is an increased risk that an enterprise’s capabilities might be exceeded by one or more of its providers in a data and intelligence driven world.
It is increasingly hard for companies to disconnect from the digitised supply chain ecosystem. What might have started as business effective and efficient arrangement could turn into an unhealthy dependency threatening competitive advantages and strategic plans on the business level. And this is far more critical on the cyber security level and extends to personal data loss, financial loss, compromise of product integrity or safety, or even threat to life .
However the use of third-party services can also come with significant, often unforeseen, risks. Third parties can be a gateway for intrusions, harm a company’s reputation if a service malfunctions, expose it to financial and regulatory issues, and draw the attention of bad actors from around the world.
A poorly managed breakup with a vendor can also be perilous, resulting in the loss of access to systems put in place by the third party, loss of custody of data, or loss of data itself. And as companies deploy new IT solutions and technologies, they introduce new security risks. Cybercrime is growing increasingly professionalised, resulting in more numerous, subtle, and sophisticated threats. Cyber threat actors are constantly working to design, build, and evolve solutions to bypass or overcome the most advanced cyber security solutions.
Currently there are some fundamental problems with cyber security providers and two outstanding problems are:
Delayed Insights: Without real-time insights and a comprehensive view of an organisation's security posture, potential threats and vulnerabilities may go unnoticed, leading to delayed responses and potential breaches.
Complexity and Cost: The complexity of coordinating multiple services and contracts, coupled with the cost implications, makes it challenging for businesses to maintain robust security practices while remaining cost-effective.
With the main motive to out-sourcing being cost reduction and specialised expertise at lower-value or peripheral functions, there is an increased risk that an enterprise’s capabilities might be exceeded by one or more of its providers in a data and intelligence driven world.
It is increasingly hard for companies to disassociate themselves from the digitised supply chain ecosystem.
What might have started as business effective and efficient arrangement could turn into an unhealthy dependency threatening competitive advantages and strategic plans on the business level and far more critical on the cyber security level to extend to personal data loss, financial loss, compromise of product integrity or safety, or even threat to life.
The National Institute of Standards (NIST) considers that cyber risks associated with the loss of visibility and control over the supply chain can be significant.
These risks ranges from the inability to define the primary source of a piece of hardware embedded in an organisation’s physical infrastructure, or the provenance and risks associated with a piece of software in the digital infrastructure, to the problem of contractors and consultants having access to its critical data and trade secrets.
With more businesses becoming digital and moving their businesses to the cloud environment, the effects of a cyber security event are enhanced.
Threat actors are targeting cyber mature organisations through third-party suppliers to take advantage of this weakness.
Organisations cannot fairly assess and secure the whole landscape of their exposure potential as the field extends beyond their infrastructure to encompass part of the suppliers’ chains linked to other suppliers’ chains. This complexity amplifies the magnitude of any cyber breach. Clearly, there are significant reductions in costs when outsourcing is adopted however, the cyber risks need to be considered as well as if they can be mitigated and at what cost. These concerns are similar to classic concerns in a major project: physical risk, insiders’ threats, development and implementation risks resulting in flaws.
Admittedly, these concerns are not unique to out-sourcing but the assumption is they can be more visible and accessible internally and potentially addressed adequately and timely. There is a growing need for a capability certification given the multi-tiered arrangements in software, services, and products contract-ing.
Understanding and assessing vendors competencies and security processes helps ranking vendors and ultimately recording them in a repository such as ISO to ensure there is a common basis or accrediting trusted vendors worldwide. It is vital to make sure that the supply chain underwriting complex and sensitive is free of weak links.
The cyber security risks inherent in outsourcing to to a managed service provider include the following factors:
Inability to quantify providers’ cyber risk exposure: Due to lack of knowledge of vulnerabilities, potential damage, and frequency. Since risks arise from the providers’ partners supply chain, it is more diverse and evolving making it less predictable.
Liability asymmetry: Service providers seek to disclaim liability to avoid paying damages exceeding the revenue generated. Clients are concerned that ITO providers do not have enough incentives to protect clients’ data and systems vehemently.
Opaque supply chains: Outsourced supply chains involve increasingly complex systems and operations where lack of visibility limits the potential to control cyber security risks.
Growing regulatory demands: In the US,Us amd the EU managed service providers face gowing challenges to be compliant with all regulatory requirements as data and services flow between regulatory perimeters.
Strategic imperative: As most organisations including government do not consider cyber security as an operational concern but rather a strategic imperative due to the data handled and the potential of being targeted by threat actors imperilling national security and public trust.
Out-Sourcing Strategies Are A Major Source Of Cyber Risks
Perfect cyber security is unachievable. Technologies evolve, people come and go within an organisation and threat actors continuously find new ways to deploy threats. So even if the organisation passed the security audit a year ago, its security posture could have changed today.
Research indicates that a client-provider trust relationship can improve the management of cyber security risks in the supply chain and mitigate the risks in the outsourcing decision-making progress.
But when companies outsource IT or other functions, they change their risk profile to assume the providers’ risks incorporated in the extended supply chain along with the uncertainties and lack of transparency that constitute an intrinsic part of it.
References:
LinkedIn Pulse | Check Point | Micheline Al Harrack | CSO Online | Access Insurance |
Gov.UK | McKinsey | BCS | Forbes
Image: PIRO4D
___________________________________________________________________________________________
If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquiries: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible