Time to act against cyber threats – not react
I believe a call to action is now. It is time to get a full picture of:
- What information you are collecting, processing and storing?
- Where your information are?
- Where they are located?
- How they are protected?
- Who has access to them?
- When are they being accessed?
What does this mean? For example, your organisation’s human resource information system (HRIS) has been outsourced to a third-party. As far as you know, you log into the HRIS through the third-party’s web portal, and you are just using the system to key-in the personal and sensitive information of your organisation’s staff. Question would be, if there is a breach of this system, to what extent would your organisation be accountable or responsible for the breach of that information?
It is in our experience that most organisations will assume that it would not be within their remit since it’s the third-party that provides the platform, and the platform is not located within the organisation’s premises. However, in reality, your organisation is the one that has been entrusted to collect the information. The ultimate accountability for it rests within your organisation, even if you may have outsourced the responsibility for it. Therein lies the questions – do you know where the data is, who is accessing it, how is it protected – you need to have the oversight to be accountable for them.
We have worked with clients to help understand the breadth of information across their supply chain, ensuring that the responsibility for information is not lost between your organisation, and those outsourced to third and fourth parties. From which, we are able to assist in assessing the risk of the security posture between your organisation, and your mission-critical third and fourth parties. This enables an oversight of the risks and potential threats within the information flow.
So, I do believe this is the time – the time to re-visit your supply chain risks, to take a proactive approach to understanding the threat landscape as well as the risks posed to your organisation in your current security posture and the information outsourced to third and fourth party. It’s time to take a reign over the data that are within your company walls to external and outsourced to third and fourth parties. Calculate the risk, minimise the gaps, know your information, own your information before the total loss of data overshadows the total cost of security investment.