Cybersecurity Experts Emphasise the Need for a Strategic Approach to Tackle Risks Arising from Third-Party Platforms and Services.
In an era marked by the proliferation of platforms, apps, and IT tools, cybersecurity faces a complex challenge as malicious actors exploit the interconnected web to compromise critical assets. To counteract this, IT security teams are advised to adopt a strategic mapping approach, shedding light on the processes and sub-processes within an organisation's IT infrastructure.
Key Points:
1. Mapping the Cyber Landscape:
To counter the broader attack surface resulting from third-party platforms, experts suggest a comprehensive mapping of all processes, including IT, paper, and others. This mapping aims to identify boundaries between applications and services, facilitating the determination of necessary controls over individual services and interconnecting boundaries.
2. Developing a Risk Landscape:
Armed with a thorough understanding of organisational processes and risks, cybersecurity teams can develop a risk landscape. This paper-only exercise involves identifying areas under direct control, reliance on third parties, and essential yet uncontrollable areas, forming the basis for a risk management strategy.
3. Three Steps to Control:
- Direct Organisational Control:
- Encrypt data in transit.
- Control data egress to make only non-sensitive data available.
- Control data ingress with regular IT health checks and compliance with protocols like SPF, DMARK, and DKIM.
- Reliance on Third Parties:
- Establish comprehensive service contracts outlining security requirements and qualifications.
- Include areas like staff processes, internal audits, and procurement in contractual statements.
- Areas with No Control:
- Encrypt data in transit.
- Control data egress to limit sensitive data exposure.
- Control data ingress with regular IT health checks and adherence to email and internet domain protocols.
4. Internal Organisational Evaluation:
- Scrutinise internal policies, procedures, and standards.
- Ensure staff vetting processes, security policies, and standards are up to date and followed.
- Assess the adequacy of staff training and education.
- Conduct regular IT health checks on internal and external-facing infrastructure.
- Ensure contractors adhere to organisational policies and procedures.
- Explore formal certifications like ISO 27001, Cyber Essentials, and others.
As organisations grapple with the ever-evolving landscape of cyber threats, the emphasis on strategic mapping, risk assessment, and robust controls emerges as a crucial component in fortifying defences. Cybersecurity professionals stress the importance of a proactive approach to stay ahead in the complex and dynamic realm of cybersecurity.
A message from our sponsors, The Ideas Distillery:
If you would like to look at how to implement an ISO 27001 information security management system, then simply contact us.
Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).
Comentarios