In this blog post
Achieving Business Resilience with Robust Cyber and Third-party Risk Management
As cyber crime continues to thrive globally, achieving cyber certainty seems to be a delusion for organizations. However, achieving cyber resilience is an attainable goal and has also become critical to succeed in this digital era. An effective cyber resilience management program requires integrating cybersecurity into business strategy and engaging the entire spectrum of stakeholders in the process for better, strategic decision-making.
In a webinar conducted by GAVS, the discussion revolved around concepts of cyber certainty, cybersecurity as a top business priority, risk awareness, real-time risk intelligence powered by AI, driving risk-aware business decisions towards integrated risk management, and more. This blog captures some of the takeaways from this webinar on ‘Achieving Business Resilience with Robust Cyber and Third-party Risk Management.’ The link to the entire webinar is available at the end of the blog.
The webinar was moderated by Shivakumar D, who leads the Data Privacy function at GAVS Technologies. The panelists were industry leaders in this space – Ms. Sumith Sagar and Ms. Kavitha Srinivasulu.
Sumith Sagar is a Product Specialist at MetricStream, a leader in IT Risk Management. She has extensive experience in Governance, Risk, and Compliance across Banking, Financial Services, and CTRM.
Kavitha Srinivasulu heads Cybersecurity and Data Privacy Services at GAVS, and has rich experience in cybersecurity, risk management, data privacy, information protection, regulatory compliance, etc.
Risk Awareness before Security
Cyberattacks have become a debilitating problem for companies across industries in recent times. Any organization that is dependent on technology can become prey to cyber attacks. For instance, the SolarWinds hack was a significant event in 2020 that impacted thousands of organizations, including the U.S. government. However, this is only one of the many incidents in the last couple of years. A market research report projects that the global cybersecurity market is set to grow to over $345 billion by 2026!
As cyberattacks and vulnerability of company data increase, organizations must first start with risk management before cybersecurity. Currently, most organizations deal with risk awareness with a reactive approach as opposed to being proactive. This is because there is a lack of awareness about continuous risk assessment and management. To have a 360-degree visibility into the risk landscape, organizations must have a thorough understanding of the critical infrastructure, third-party access, and technologies used.
Regulatory Requirements
The cost of personal information is soaring in the black market. In industries such as banking and healthcare, where personal customer/patient information is stored by the organization, volumes of sensitive information are greedily targeted by hackers. Clear understanding of data ownership and consent management is critical to safeguarding private data from becoming a vulnerable asset. To bring clarity about data ownership, and to establish rightful ownership and safe data handling practices, data privacy acts such as GDPR and CCPA were implemented. These regulations are only to be used as a starting point among organizations to consider the need for investment in cybersecurity despite the lack of monetary return. Unfortunately, most organizations continue to address risk management solely as a need for regulatory compliance and not as a need to truly safeguard the company and its customers, thus creating vulnerability.
Challenges in Third-party Risk Management
While critical infrastructure and technology adopted is internal, third-party access is external with limited control. Data becomes readily available to users outside the organization through global suppliers and global connectivity. As a result, this becomes one of the high-risk areas, particularly rising during the pandemic. Consequently, several loopholes in data privacy and security have been identified due to:
- Lack of top management involvement at an early stage
- Emerging technologies and corresponding skills gap
- Improper or negligent training of frontline workers making them the weakest link
- Lack of stringent data privacy and security controls
- Lack of policy awareness and training
- Heightened regulatory pressure
- An unstructured third-party monitoring process
Recommendations to Improve Risk Management
- Creation of a Cyber Resilience Strategy
In this strategy, the assumption is that the company will be attacked. So, the focus is on building defenses such that the organization is always prepared for an attack, is able to quickly respond and recover rapidly from any disruption of any scale, in order to resume BAU (Business as Usual) with minimal downtime.
- Removal of Weak Links through Training
It is dangerous to assume that risk mitigation is the responsibility of the top management or the IT team – rather, the onus is on every employee to keep hackers at bay. This can only happen through continuous training to reiterate the responsibilities of every person linked to the organization, and the consequences of any intentional/unintentional behavior that may lead to a security breach.
- Micro-Segmentation with Zero Trust Technology
Micro-segmentation means the organization’s IT assets are logically divided into discrete security segments and managed through appropriate security controls as relevant to the segment. This also allows for quick isolation of affected segments in case of a cyber attack. This in combination with a zero-trust strategy ensures that every resource is authenticated before access to a segment asset.
- Cyber Risk Quantification
Once risk areas have been identified, they need to be evaluated using mathematical models – either through an automated or software-enabled process, to quantify their risk potential to the business. This provides a business perspective by accurately indicating how each risk could financially affect the business and drives data-driven prioritization of risk management initiatives.
- Restricting Third-party Access
A third-party risk management program is critical to the overall cybersecurity program. Every vendor’s access privileges, their endpoints, and activities when logged into the organization need to be monitored and controlled. Continuous reevaluation is key as vendor associations change – to eliminate orphan accounts and to ensure adherence to a ‘just-in-time, least privilege’ access policy.
This blog offers only a high-level gist of the webinar. You can watch the entire webinar, including the poll questions and the experts’ take on audience questions here.
GAVS periodically organizes insightful webinars with GAVS’ tech leaders, the leadership team, and industry thought leaders to explore current and emerging trends. To watch our other webinar recordings, please visit https://www.gavstech.com/videos/.