Why It’s Important
The victim organisations and their clients have an arduous road to recover systems, relationships, and reputations from these attacks. It is not IBRS intent to make their job any harder by naming them here. Some of the circumstances have still to be analysed, so these short comments are couched as observations rather than conclusions:
- Cyber criminals continue to evolve their techniques in unpredictable ways. What would happen if hackers went directly to your customers with ransom demands? How would they/you respond? Does this extension of a technique elevate the impact, and thus risk level, of a ransomware or other cyber incident? Organisations need to continually monitor the cyber landscape (e.g. subscribe to alert feeds) and reassess risk and response plans.
- Outsourcing ICT to a service provider does not eliminate risk. A service provider should have better cyber defences to protect, detect and respond than you can support alone. But service providers will also have larger perimeters due to their multiple customers, and security is only as strong as the weakest link. IBRS has recently written1 about valuable zero trust principles that can enhance an organisation’s cyber security strategy. Organisation may also review privilege access management.2
- ICT teams can outsource responsibility for ICT work to a service provider, but cannot outsource accountability. ICT leaders cannot expect to simply blame service providers for breaches, as their organisation will naturally be held accountable for managing the service. Does ICT have a program of monitoring, testing, reporting and audit? Were actions commenced and followed up? Cyber incidents are particularly tricky. If the service provider is at fault and knows it, then it may not want to face the potential consequences. Relying solely on the service provider for a cyber response plan is not effective. It won’t protect the organisation or allow for an effective response.
- Security and risk teams
- ICT vendor managers
- If the organisation does not have a threat intelligence capability, link to open source, vendor and analyst feeds on evolving threats.
- Schedule regular reviews of the cyber landscape for new trends and review their risk and response plans accordingly.
- Review vendor management plans for how they manage and mitigate cyber risk.