Problems With Underperforming Cyber Security Service Providers 

Problems Wth Underperforming Cyber Security Service Providers 


Research Report: This article is exclusive to premium customers. For unrestricted website access please Subscribe: £5 monthly / £50 annual.


Cyber security breaches and attacks remain a very common threat to all organisations. And this problem often reflects the aspects of senior managers who often view cyber security as less of a priority in the current economic climate than it was in previous years. However, one of the common misconceptions about cyber security is that outsourcing IT can remove the cyber risk. 

Whilst it may provide multiple advantages for your organisation, it is vital to carry out due diligence and  to be aware of the risk of indirect cyber attacks where cyber criminals break into a supplier network and gain access to your organisation’s data. Indirect cyber-attacks of this nature have risen from 44% to 61% over the past few years.

Business Development

As business processes become more complex, companies are turning to third parties to boost their ability to provide critical services from cloud storage to data management to security. It’s often more efficient and less expensive to contract out work that would otherwise require significant effort and potentially drain in-house resources to those who can do it for you.

In fact, outsourcing has become an ubiquitous business process where organisations relinquish lower-value functions such as payroll or even parts of the value chain that are more central to their business processes.

With the main motive to outsourcing being cost reduction and specialised expertise at lower-value or peripheral functions, there is an increased risk that an enterprise’s capabilities might be exceeded by one or more of its providers in a data and intelligence driven world. 

It is increasingly hard for companies to disconnect from the digitised supply chain ecosystem. What might have started as business effective and efficient arrangement could turn into an unhealthy dependency threatening competitive advantages and strategic plans on the business level. And this is far more critical on the cyber security level and extends to personal data loss, financial loss, compromise of product integrity or safety, or even threat to life .

However the use of third-party services can also come with significant, often unforeseen, risks. Third parties can be a gateway for intrusions, harm a company’s reputation if a service malfunctions, expose it to financial and regulatory issues, and draw the attention of bad actors from around the world. 

A poorly managed breakup with a vendor can also be perilous, resulting in the loss of access to systems put in place by the third party, loss of custody of data, or loss of data itself. And as companies deploy new IT solutions and technologies, they introduce new security risks. Cybercrime is growing increasingly professionalised, resulting in more numerous, subtle, and sophisticated threats.  Cyber threat actors are constantly working to design, build, and evolve solutions to bypass or overcome the most advanced cyber security solutions.

Currently there are some fundamental problems with cyber security providers and two outstanding problems are:
Delayed Insights: Without real-time insights and a comprehensive view of an organisation's security posture, potential threats and vulnerabilities may go unnoticed, leading to delayed responses and potential breaches.
Complexity and Cost: The complexity of coordinating multiple services and contracts, coupled with the cost implications, makes it challenging for businesses to maintain robust security practices while remaining cost-effective.

With the main motive to out-sourcing being cost reduction and specialised expertise at lower-value or peripheral functions, there is an increased risk that an enterprise’s capabilities might be exceeded by one or more of its providers in a data and intelligence driven world. 

It is increasingly hard for companies to disassociate themselves from the digitised supply chain ecosystem. 
What might have started as business effective and efficient arrangement could turn into an unhealthy dependency threatening competitive advantages and strategic plans on the business level and far more critical on the cyber security level to extend to personal data loss, financial loss, compromise of product integrity or safety, or even threat to life.

The National Institute of Standards (NIST) considers that cyber risks associated with the loss of visibility and control over the supply chain can be significant.

These risks ranges from the inability to define the primary source of a piece of hardware embedded in an organisation’s physical infrastructure, or the provenance and risks associated with a piece of software in the digital infrastructure, to the problem of contractors and consultants having access to its critical data and trade secrets. 
With more businesses becoming digital and moving their businesses to the cloud environment, the effects of a cyber security event are enhanced. 

Threat actors are targeting cyber mature organisations through third-party suppliers to take advantage of this weakness. 

Organisations cannot fairly assess and secure the whole landscape of their exposure potential as the field extends beyond their infrastructure to encompass part of the suppliers’ chains linked to other suppliers’ chains. This complexity amplifies the magnitude of any cyber breach. Clearly, there are significant reductions in costs when outsourcing is adopted however, the cyber risks need to be considered as well as if they can be mitigated and at what cost. These concerns are similar to classic concerns in a major project: physical risk, insiders’ threats, development and implementation risks resulting in flaws. 

Admittedly, these concerns are not unique to out-sourcing but the assumption is they can be more visible and accessible internally and potentially addressed adequately and timely.  There is a growing need for a capability certification given the multi-tiered arrangements in software, services, and products contract-ing. 

Understanding and assessing vendors competencies and security processes helps ranking vendors and ultimately recording them in a repository such as ISO to ensure there is a common basis or accrediting trusted vendors worldwide. It is vital to make  sure that the supply chain underwriting complex and sensitive is free of weak links. 

The cyber security risks inherent in outsourcing to to a managed service provider include the following factors:

Inability to quantify providers’ cyber risk exposure:   Due to lack of knowledge of vulnerabilities, potential damage, and frequency. Since risks arise from the providers’ partners supply chain, it is more diverse and evolving making it less predictable.

Liability asymmetry:   Service providers seek to disclaim liability to avoid paying damages exceeding the revenue generated.  Clients are concerned that ITO providers do not have enough incentives to protect clients’ data and systems vehemently.

Opaque supply chains:   Outsourced supply chains involve increasingly complex systems and operations where lack of visibility limits the potential to control cyber security risks.

Growing regulatory demands:   In the US,Us amd the EU managed service providers face gowing challenges to be compliant with all regulatory requirements as data and services flow between regulatory perimeters.

Strategic imperative:    As most organisations including government do not consider cyber security as an operational concern but rather a strategic imperative due to the data handled and the potential of being targeted by threat actors imperilling national security and public trust.

Out-Sourcing Strategies Are A Major Source Of Cyber Risks

Perfect cyber security is unachievable. Technologies evolve, people come and go within an organisation and threat actors continuously find new ways to deploy threats. So even if the organisation passed the security audit a year ago, its security posture could have changed today. 

Research indicates  that a client-provider trust relationship can improve the management of cyber security risks in the supply chain and mitigate the risks in the outsourcing decision-making progress. 

But when companies outsource IT or other functions, they change their risk profile to assume the providers’ risks incorporated in the extended supply chain along with the uncertainties and lack of transparency that constitute an intrinsic part of it. 

References:

LinkedIn Pulse   |   Check Point    |     Micheline Al Harrack   |    CSO Online       |    Access Insurance     |   

 Gov.UK  |     McKinsey    |     BCS   |     Forbes   

Image: PIRO4D

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Who Is Legally Responsible For Your Cybersecurity?
Penetration Testing Explained »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

QinetiQ

QinetiQ

QinetiQ is one of the world's leading defence technology and security companies. Areas of activity include air, land, sea and space systems, weapons, robotics, C4ISR and cyber security.

Vaddy

Vaddy

Vaddy provide an automatic web vulnerability scanner for DevOps that performs robust security checks to ensure that web app code is secure.

Cisco Talos

Cisco Talos

Talos is an industry-leading threat intelligence solution that protects your organization’s people, data and infrastructure from active adversaries.

ENVEIL

ENVEIL

ENVEIL’s technology is the first scalable commercial solution to cryptographically secure Data in Use.

Skurio

Skurio

Skurio create cost-effective, intuitive and powerful Cloud based solutions to identify threats, detect data breaches outside the network and automate the response.

Silensec

Silensec

Silensec is a management consulting, technology services and training company specialized in information security.

Bangladesh Computer Council (BCC)

Bangladesh Computer Council (BCC)

Bangladesh Computer Council (BCC) is a government body providing support for ICT related activities including formulating national ICT strategy and policy.

Moxa

Moxa

Moxa is a leading provider of industrial networking, computing, and automation solutions for enabling the Industrial Internet of Things.

PhishX

PhishX

PhishX is a SaaS platform for security awareness that simulates Cyberthreats, train people, while measure and analysis results, reducing Cybersecurity risks for People and Companies.

ThreatSwitch

ThreatSwitch

ThreatSwitch a software platform for cleared federal contractors to get and stay compliant with NISPOM and Conforming Change 2.

Security Innovation Network (SINET)

Security Innovation Network (SINET)

SINET is dedicated to building a cohesive, worldwide Cybersecurity community with the goal of accelerating innovation through collaboration.

Lumu Technologies

Lumu Technologies

Lumu is a cybersecurity company that illuminates threats and attacks affecting enterprises worldwide.

X Technologies

X Technologies

X Technologies provide world-class engineering, information technology, information security, program management and repair services to Federal, State and commercial customers.

Input Output (IOHK)

Input Output (IOHK)

IOHK is one of the world's pre-eminent blockchain infrastructure research and engineering companies.

Advantex Network Solutions

Advantex Network Solutions

Advantex Network Solutions are a leading provider in Mitel, IT Solutions, Networking, and iP surveillance.

Mirai Security

Mirai Security

Mirai Security are a cyber security company that specializes in Governance, Risk Management and Compliance, Cloud Security and Application Security.