By removing silos and connecting Risk Management, Cybersecurity and Business Continuity, an organization can develop cyber resilience needed to meet the increasing threats of cyber disruption.
Don’t think for a moment that your organization isn’t that interesting to cybercriminals. No business is too small, too unimportant or too irrelevant to be a target. Breaches are posing an ever-growing risk for all businesses and are now even greater since the consequences after the General Data Protection Regulation (GDPR) came into full force. Failure to respond urgently and transparently to a data breach can be a near extinction-level event.
The full financial impact a data breach can have on an organization’s bottom line can be devastating. Aside from expensive technical investigations and regulatory filings, a breach also includes hidden costs such as lost business, negative impact on reputation, and employee time spent on recovery.
Recent figures released by the Ponemon Institute prove data breach costs have risen in the past decade and the financial impact can be felt for years, underlining the importance of incident response.
According to the Ponemon’s 2019 Cost of a Data Breach Study, the average total cost of a data breach is US$3.92 million, a 12 percent increase over the past five years. While an average of 67 percent of data breach costs were realized within the first year after a breach, the findings prove that the financial impact of a data breach are felt for years – 22 percent accrued in the second year and another 11 percent accumulated more than two years after a breach.
Breaches originating from a third-party cost organizations US$360,000 more than average, according to Ponemon. However, very few businesses operate independently, opting instead for an outsourced model to gain economies of scale, with many vendors contributing to the process of bringing products and services to market. It’s a great business model that enables organizations to concentrate on their core capabilities, but it can also create a series of security gaps.
Erasing Blurred Lines
Corporate lines blur when it comes to cybersecurity matters – with risk management, crisis management, business continuity and disaster recovery often intersecting. Areas such as vendor risk and cyber security risk are typically handled in silos, which can create cracks in an organization’s armor. But although it’s hard for organizations to calibrate all of these different functions, the recent ubiquitous wave of cyber breaches has become the game-changer in risk management, and business continuity has captured the attention of boards.
Business continuity management (BCM), which has deep roots in developing plans to keep organizations running during and after natural disasters, has grown and developed to cover a wide range of threats to resilience. Today, business continuity is a key component in an organization’s arsenal to build cyber resilience. But it takes collaborative strategies to mitigate cyberattacks and ensure a fast recovery.
Organizations, therefore, need to connect the dots between vendor continuity management (VCM), cybersecurity, and business continuity to reduce risk to their customers and business, and to improve their overall resilience.
But why is VCM so important for resilience? Well, vendors provide an “entry point” to processes, technology, products, and services. When a consumer uses an organization’s services, they trust their vendor to choose partners that will keep their data safe.
Then there are the demands from the digital economy. Organizations must contend with real-time, free-flowing information between vendors and other partners that are susceptible to business interruption. This model opens multiple access points that need to be carefully reviewed and managed.
Another part of the organization that needs resilience is its reputation. When it comes to a company’s public image, social media can either be their best friend or their worst enemy. Hence, how an organization responds to a vendor incident will determine their reputation as well as impact the potential for fines and legal action.
Customers “vote with their feet” and often stop doing business with a company that’s suffered a breach. According to SAI Global’s Reputational Trust Index 2019, 65 percent of those surveyed viewed data privacy as the most important attribute when considering a company’s trustworthiness. This illustrates that data security is more than just a compliance issue, but one of trust and reputation.
An organization can have dozens of vendors that they regularly do business with, however not all of their functions are equal – and not all vendors are critical to an organization’s recovery. To determine which are most critical, a vendor impact assessment (VIA) should be performed first.
Just as BCM encapsulates risk assessments, maps critical processes to people and assets, and conducts business impact assessments (BIA), a VIA extends these practices to third- and fourth-party suppliers, partners, and contractors. If a vendor is not critical to recovery, they may have different standards to adhere to, if any at all.
Some organizations can literally have thousands of vendors. Ranking these vendors into tiers based on criticality to recover saves substantial time and effort by the VCM team. Understanding the impact a vendor has on an organization’s ability to recover is essential and a point rating system provides a clear metric to measure vendor relevance.
When it comes to evaluating a vendor, organizations should focus on two fronts: the maturity and effectiveness of the vendor’s cybersecurity practices, and the vendor’s ability to recover from an incident and continue to provide products and services to critical processes.
When assessing vendor risk, information security is at the forefront of the mind of most organizations. For example, an IT-shared services unit may rely on an external vendor for hosting or cloud services. The IT unit requires a cloud vendor available and online for critical applications. This vendor takes precedence as a critical or tier 1 vendor for contingency planning and recovery.
Making Cyber Resilience a Reality
True cyber resilience demands a response that addresses the organization as a whole; half measures will not work. It begins with a deep understanding of the operational landscape, to know which workflows must be preserved so the organization can continue to operate in the event of a cyberattack, while safeguarding stakeholders and assets.
This is why silos need to be broken and the dots need to be connected between all of those across the organization and the broader cyber ecosystem.
Many organizations use a web of vendors and third parties to bring products to market, which broadens their exposure to risk with every connection. Considering the potential for vendors and third parties to impact operations, organizations need to do much more to understand the role vendors play in their ability to maintain resiliency becomes obvious.
Through the integration of VCM and BCM programs, organizations can better profile and screen vendors, conduct impact assessments at the product level, determine assessment needs, and maintain historical and auditable assessment records. Such integrated risk management enables risk professionals to better manage vendor products and services, their business impacts, determine vendor risk scores, capture contract and SLA details, and access additional visualization and reporting capabilities.
By unifying VCM and BCM data and practices, organizations can capitalize on economies of scope and manage risk more holistically. This leads to better capital and resource management, reduced costs, improved business performance, compliance with regulations, and ultimately protects the organizations’ brand and reputation.
About the AuthorMore Content by James Green