Problems With Underperforming Cyber Security Service Providers 

Uploaded on 2024-04-18 in TECHNOLOGY--Resilience, Directors Reports

Problems Wth Underperforming Cyber Security Service Providers 

Research Report: This article is exclusive to premium customers. For unrestricted website access please Subscribe: £5 monthly / £50 annual.

Cyber security breaches and attacks remain a very common threat to all organisations. And this problem often reflects the aspects of senior managers who often view cyber security as less of a priority in the current economic climate than it was in previous years. However, one of the common misconceptions about cyber security is that outsourcing IT can remove the cyber risk. 

Whilst it may provide multiple advantages for your organisation, it is vital to carry out due diligence and  to be aware of the risk of indirect cyber attacks where cyber criminals break into a supplier network and gain access to your organisation’s data. Indirect cyber-attacks of this nature have risen from 44% to 61% over the past few years.

Business Development

As business processes become more complex, companies are turning to third parties to boost their ability to provide critical services from cloud storage to data management to security. It’s often more efficient and less expensive to contract out work that would otherwise require significant effort and potentially drain in-house resources to those who can do it for you.

In fact, outsourcing has become an ubiquitous business process where organisations relinquish lower-value functions such as payroll or even parts of the value chain that are more central to their business processes.

With the main motive to outsourcing being cost reduction and specialised expertise at lower-value or peripheral functions, there is an increased risk that an enterprise’s capabilities might be exceeded by one or more of its providers in a data and intelligence driven world. 

It is increasingly hard for companies to disconnect from the digitised supply chain ecosystem. What might have started as business effective and efficient arrangement could turn into an unhealthy dependency threatening competitive advantages and strategic plans on the business level. And this is far more critical on the cyber security level and extends to personal data loss, financial loss, compromise of product integrity or safety, or even threat to life .

However the use of third-party services can also come with significant, often unforeseen, risks. Third parties can be a gateway for intrusions, harm a company’s reputation if a service malfunctions, expose it to financial and regulatory issues, and draw the attention of bad actors from around the world. 

A poorly managed breakup with a vendor can also be perilous, resulting in the loss of access to systems put in place by the third party, loss of custody of data, or loss of data itself. And as companies deploy new IT solutions and technologies, they introduce new security risks. Cybercrime is growing increasingly professionalised, resulting in more numerous, subtle, and sophisticated threats.  Cyber threat actors are constantly working to design, build, and evolve solutions to bypass or overcome the most advanced cyber security solutions.

Currently there are some fundamental problems with cyber security providers and two outstanding problems are:
Delayed Insights: Without real-time insights and a comprehensive view of an organisation's security posture, potential threats and vulnerabilities may go unnoticed, leading to delayed responses and potential breaches.
Complexity and Cost: The complexity of coordinating multiple services and contracts, coupled with the cost implications, makes it challenging for businesses to maintain robust security practices while remaining cost-effective.

With the main motive to out-sourcing being cost reduction and specialised expertise at lower-value or peripheral functions, there is an increased risk that an enterprise’s capabilities might be exceeded by one or more of its providers in a data and intelligence driven world. 

It is increasingly hard for companies to disassociate themselves from the digitised supply chain ecosystem. 
What might have started as business effective and efficient arrangement could turn into an unhealthy dependency threatening competitive advantages and strategic plans on the business level and far more critical on the cyber security level to extend to personal data loss, financial loss, compromise of product integrity or safety, or even threat to life.

The National Institute of Standards (NIST) considers that cyber risks associated with the loss of visibility and control over the supply chain can be significant.

These risks ranges from the inability to define the primary source of a piece of hardware embedded in an organisation’s physical infrastructure, or the provenance and risks associated with a piece of software in the digital infrastructure, to the problem of contractors and consultants having access to its critical data and trade secrets. 
With more businesses becoming digital and moving their businesses to the cloud environment, the effects of a cyber security event are enhanced. 

Threat actors are targeting cyber mature organisations through third-party suppliers to take advantage of this weakness. 

Organisations cannot fairly assess and secure the whole landscape of their exposure potential as the field extends beyond their infrastructure to encompass part of the suppliers’ chains linked to other suppliers’ chains. This complexity amplifies the magnitude of any cyber breach. Clearly, there are significant reductions in costs when outsourcing is adopted however, the cyber risks need to be considered as well as if they can be mitigated and at what cost. These concerns are similar to classic concerns in a major project: physical risk, insiders’ threats, development and implementation risks resulting in flaws. 

Admittedly, these concerns are not unique to out-sourcing but the assumption is they can be more visible and accessible internally and potentially addressed adequately and timely.  There is a growing need for a capability certification given the multi-tiered arrangements in software, services, and products contract-ing. 

Understanding and assessing vendors competencies and security processes helps ranking vendors and ultimately recording them in a repository such as ISO to ensure there is a common basis or accrediting trusted vendors worldwide. It is vital to make  sure that the supply chain underwriting complex and sensitive is free of weak links. 

The cyber security risks inherent in outsourcing to to a managed service provider include the following factors:

Inability to quantify providers’ cyber risk exposure:   Due to lack of knowledge of vulnerabilities, potential damage, and frequency. Since risks arise from the providers’ partners supply chain, it is more diverse and evolving making it less predictable.

Liability asymmetry:   Service providers seek to disclaim liability to avoid paying damages exceeding the revenue generated.  Clients are concerned that ITO providers do not have enough incentives to protect clients’ data and systems vehemently.

Opaque supply chains:   Outsourced supply chains involve increasingly complex systems and operations where lack of visibility limits the potential to control cyber security risks.

Growing regulatory demands:   In the US,Us amd the EU managed service providers face gowing challenges to be compliant with all regulatory requirements as data and services flow between regulatory perimeters.

Strategic imperative:    As most organisations including government do not consider cyber security as an operational concern but rather a strategic imperative due to the data handled and the potential of being targeted by threat actors imperilling national security and public trust.

Out-Sourcing Strategies Are A Major Source Of Cyber Risks

Perfect cyber security is unachievable. Technologies evolve, people come and go within an organisation and threat actors continuously find new ways to deploy threats. So even if the organisation passed the security audit a year ago, its security posture could have changed today. 

Research indicates  that a client-provider trust relationship can improve the management of cyber security risks in the supply chain and mitigate the risks in the outsourcing decision-making progress. 

But when companies outsource IT or other functions, they change their risk profile to assume the providers’ risks incorporated in the extended supply chain along with the uncertainties and lack of transparency that constitute an intrinsic part of it. 

References:

LinkedIn Pulse   |   Check Point    |     Micheline Al Harrack   |    CSO Online       |    Access Insurance     |   

 Gov.UK  |     McKinsey    |     BCS   |     Forbes   

Image: PIRO4D

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Who Is Legally Responsible For Your Cybersecurity?
Penetration Testing Explained »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

ReadWrite

ReadWrite

ReadWrite is a leading media platform dedicated to IoT and the Connected World.

ID-SIRTII/CC

ID-SIRTII/CC

Security Incident Response Team for Internet Infrastructure in Indonesia.

MSAB

MSAB

MSAB is a pioneer in forensic technology for mobile device examination.

AllClear ID

AllClear ID

AllClear ID provides products and services that help protect people and their personal information from threats related to identity theft.

NopSec

NopSec

NopSec provides automated IT security control measurement and risk remediation solutions to help businesses protect their IT environments from security breaches.

National Cyber Security Centre (NCSC) - Switzerland

National Cyber Security Centre (NCSC) - Switzerland

The National Cyber Security Centre is Swizerland's competence centre for cybersecurity and the first contact point for businesses, public administrations, and the public for cyber issues.

Penningtons Manches Cooper

Penningtons Manches Cooper

Penningtons Manches Cooper is a leading UK law firm providing high quality legal advice in areas including Data Protection, Cyber Security and Cyber Crime.

Joint Accreditation System of Australia and New Zealand (JASANZ)

Joint Accreditation System of Australia and New Zealand (JASANZ)

JASANZ is the joint national accreditation body for Australia and New Zealand. The directory of members provides details of organisations offering certification services for ISO 27001.

Vigilant Software

Vigilant Software

Vigilant Software develops industry-leading tools for intelligent, simplified compliance, including ISO27001-risk management and EU GDPR.

CYRail

CYRail

CYRail project will analyse threats targeting Railway infrastructures and develop innovative attack detection and alerting techniques.

Enterprise Incubator Foundation (EIF)

Enterprise Incubator Foundation (EIF)

Enterprise Incubator Foundation (EIF) of Armenia is one of the largest technology business incubators and IT development agencies in the region.

Arcanna.ai

Arcanna.ai

Using a wide range of out-of-the box integrations, Arcanna.ai continuously learns from existing enterprise cybersecurity experts and scales your team’s capacity to deal with threats.

Cyber Proud

Cyber Proud

Cyber proud is leading a talent revolution to promote and create an inclusive skilled cyber workforce.

Veza Technologies

Veza Technologies

Veza is the authorization platform for data. Built for hybrid, multi-cloud environments, Veza enables organizations to manage and control who can and should take what action on what data.

Indevtech

Indevtech

Indevtech has been serving Hawaii since 2001, providing end-to-end managed IT services to small- and medium-businesses.

Cloud Software Group

Cloud Software Group

Cloud Software Group provides mission-critical software to enterprises at scale.