On the second day of the Computing Cyber Security Festival, Sam Woodcock, Senior Director of Cloud Strategy at 11:11 Systems, and Goher Mohammed, Group Head of Information Security at L&Q Group, discussed the origins and implications of cyber attacks. & Q recently experienced through one of their third party relationships. We’ve all read the playbooks for these scenarios but real life can unfold rather differently.
Gohar Mohammad narrated the incident.
“We had a situation where a third-party supplier was hit by a ransomware attack. L&Q is a social housing supplier and we need to carry out works on our homes. The relevant company provides a platform for that. As a partner, this third party L&Q data An attacker infiltrated their environment and compromised their network.
“It meant our services were affected. We did our due diligence and weren’t directly affected, but the third-party compromise meant we were operationally affected. We’re in this wonderful new world where we work with SaaS and other cloud providers. To give us agility but it also means we are at risk if they don’t do the right thing.”
This story illustrates the extent to which third party suppliers and partners can increase the risks facing organizations. How to assess these risks?
“Third party assessment is absolutely critical,” Mohammed said. “We can treat third parties like our own systems and solutions. We cannot assume that they will work well. They are an extension of our own technology offerings and services.
“Partners get frustrated when we give them detailed questionnaires but in the end it’s serious because it tells you where they are. If organizations don’t do that assessment and the worst happens, it’s going to be very difficult to explain ourselves to regulators, auditors and investors if something goes wrong. .”
Sam Woodcock agreed, saying that spending time in this due diligence phase will pay off in the end, even if it reduces initial engagement.
“As MSPs, we spend a lot of time with our compliance teams and security teams to help build trust and work through those questionnaires and dig deeper into the individual factors that you want to know more about. You have to have that trust and partnership and you really have to work. I define whether he is a partner or not.”
Agility of response is key
Gohar Mohammed used a very famous quote from boxer Mike Tyson to illustrate the importance of an agile approach when dealing with cyber security incidents.
“Everybody has a plan until they get punched in the face. When you’re dealing with an incident, whether it’s your incident or a third party’s. It’s never been truer. When we’re affected, every man and woman has to try it themselves. What happened? To understand this, why and how we returned to operations as it was affecting our core service.
“We had a plan but when you’re still in the pilot stage and it’s a new third party, you’re still developing a business continuity plan for that service. You don’t plan months in advance. One of the key takeaways for me is that you have to be nimble as we go through this event. As part of that we were looking for information. We knew we provided a subset of the data to that third party. We asked them to verify the data they had about us. When they provided it, it wasn’t what we expected. It just wasn’t in the playbook. It’s now But the next event could be completely different.”
Both Mohammed and Woodcock agreed on the need to expect the unexpected and avoid wasting time fighting your own playbook as you respond. Woodcock emphasized the importance of a multi-layered approach to security.
“We have that multi-layered approach at 11:11. When we look to define that approach, we look to industry standards like the NIST Framework for Security that provides a defined, step-by-step approach to security. If you haven’t got cybersecurity resilience. To help you on that journey The strategy aligns industry frameworks and technology partners.”
However, Mohammed issued a word of caution against being too strict by sticking too closely to the framework.
People can get too fixated on frameworks but remember they are frameworks not mandates.”
The best way to get to the right place is to understand your organization and adopt the right components of each framework. According to Mohammed, there is no one size fits all frame.
“Because of our own incident we were very honest and open with our clients. After the attack I recommend being honest because people are more understanding than you think. We reached out to over 60,000 residents and only 20 people came back to us to express their concerns. Being honest and open affects reputation It helps.”
To be sure, some of the most high-profile attacks in recent years have lingered in the public imagination at least in part because the companies involved failed to stand up to consumers whose data was compromised. It is not good to have information extracted from you through the media or through legal action by those affected.
As Woodcock notes:
“If something happens and you let it linger and don’t warn people that they might be affected themselves, that can be a double whammy for reputations.”
The pair’s closing thoughts included the importance of relationships in the business – security does not begin and end with security teams. It’s a cliché, but security of people, process and technology is a tripartite cause.
This comprehensive and collaborative approach should be extended by third parties, because after all, it is your brand.