3rd Party Risk Management , Governance & Risk Management , Security Operations
Cyber Events Are Never Just Technical Failures
Looking at the Operational and Procedural Issues That Create RiskIn cybersecurity, it is easy to fall into the trap of viewing cyberattacks as purely technical failures. When a breach occurs, the first instinct is often to blame the firewalls, point fingers at compromised machines or find fault in software patches that may have been missed. The focus is placed squarely on the technical aspects: what went wrong with the systems, where the vulnerabilities were and how the attackers exploited them. While these technical considerations are crucial, they represent only a portion of the broader picture.
See Also: JAPAC | Secure Your Applications: Learn How to Prevent AI-Generated Code Risk
If a suspended entity can access a system it would normally use, is this a failure of cybersecurity or something deeper? We often overlook the operational side of things. Every machine, every piece of software and every user account within an organization pose operational risk elements that can be significantly magnified if the necessary controls are not properly implemented and practiced. Cyber events should never be looked at solely as technical failures because doing so misses the critical operational and procedural issues that often play a significant role in these incidents.
The Importance of Practicing Controls
Most organizations have a set of written procedures that are deemed fit and proper. These are typically well-documented in policy manuals and procedural guides. The challenge lies in the consistent implementation and practice of these controls - repeatability. Often, due to competing priorities or resource constraints, these procedures are either not followed or are applied inconsistently. When you do a process walk with two or three employees within the same unit, each employee may follow the same SOP slightly differently - and it may not match the written SOP.
External vendors and third-party service providers often play crucial roles within an organization, whether they are managing physical security systems, providing IT support or overseeing specific business processes. These vendors may have physical access to the organization's premises or virtual access to its networks and sensitive data. Despite not being full-time employees, their access to critical systems, processes and information is often on par with that of internal staff.
External vendors engaged in technical roles often possess extensive access to critical systems. These are the individuals who, metaphorically speaking, "put their hands in the mud" to ensure that operations run smoothly. The level of access they are granted, combined with their external status, presents a unique set of operational risks that are frequently underestimated.
External Vendors and Cybersecurity
IT and information security teams, tasked with ensuring that the organization's digital lights stay on, often integrate external vendors into the network without distinguishing between their external status and the status of internal employees. Vendors are granted access to the same systems and networks as regular employees. But perhaps these accesses should be monitored differently
This is where operational risk intertwines with cybersecurity. When external vendors are treated the same as internal employees in terms of system access, without any additional scrutiny or controls, the organization is exposed to significant risks. These risks are not just about potential malicious intent from vendors but also about the operational failures that can arise without fully understanding or monitoring their access rights.
Operational policies should serve as the first line, ensuring access is removed when needed. If a vendors' access is not promptly revoked after the termination of their contracts, the organization is vulnerable to unauthorized access. Even if the vendor does not intend any harm, the mere presence of an active account associated with a former third party is a security gap waiting to be exploited. In many cases, these gaps are identified only after a breach has occurred, during the postmortem analysis, when it becomes clear that the operational procedures for offboarding were either not followed or were inadequate.
The Need for Differentiated Access Monitoring
Given the unique risks associated with external vendors, it is essential that organizations differentiate how they monitor and manage access for these third parties. This is not about mistrust; it is about recognizing the distinct nature of their involvement and the potential operational risks they bring. Organizations should consider implementing the following practices:
- Establish specific access controls. For external vendors, these controls ensure that their access is limited to what is necessary for their roles. Regularly review and adjust these access rights as needed.
- Implement strict offboarding procedures. Provide vendors with clear timelines for revoking access. This process should be automated where possible to prevent human error.
- Use differentiated monitoring. Focus on unusual activity or access patterns of vendors. This can be achieved through advanced analytics and AI-driven security solutions that flag potential anomalies.
- Conduct regular audits. Audit the access rights for all third parties, especially vendors. This helps ensure that any operational risks are identified and mitigated promptly.
Cybersecurity is a complex and multifaceted discipline. It is not just about the firewalls, the patches or the compromised machines. We need to ensure that the operational aspects of cybersecurity are not just an afterthought but a principal component of an organization's defense strategy. We need to rely less on reactive measures and more on proactive governance. By doing so, we can move beyond reactive firefighting toward a comprehensive approach to cybersecurity that truly safeguards institutions.