CIOReview | | 9 JULY 2023Additionally, there should be, at a minimum, quarterly reviews of all critical vendors with the low or fluctuating risk profiles, followed by the detailed analysis of their scores and the reasons behind them. This type of review will ensure that all the right people at your organization are aware of potential risks, but also are in the position to challenge the scoring. Some vendors risk profile may be impacted by things such as IaaS shared responsibility models they have with other customers, or even nature of their business (eg. ISP). And while the InfoSec tools will show this as risk, a detailed quarterly review by your organization can segment it out since it does not represent a significant security risk to your organization. This approach also creates an opportunity for organizations to collaboratively work with their IT vendors to protect each other. By sharing their own risk profiles with your vendors, and working together to address any gaps, you are investing in the stronger security for both organizations. This further creates an opportunity, to exchange best practices, new ideas and lessons learnt between both parties. It is time very well spent, and ensures strong strategic partnerships between the two companies.Nevertheless, even if all the due diligence checks out, at the onboarding and the annual assessment phase, and even if the quarterly internal assessments show no serious security risks, all organizations should have a well-established and documented exit strategy for each of their critical IT vendors. This practice will force the organization to really think about their relationship with their IT vendors, avoid concentrating massive scope to one vendor, and remove sole sourcing practices all together. The question is not if an attack happens, but rather when an attack happens. Anyone can get hacked at any time, inadvertently making the entire organization vulnerable. While some cyber attacks are targeted, some of them are done using scattergun approach, sending phishing emails to thousands of potential victims with a link or an attachment, that when opened infects the system and creates widespread problem. Depending on the nature of the attack and the information that is compromised, organizations might not only have their customer base impacted, resulting in financial loss and tarnished reputation, but can also be subject to regulatory fines and penalties. As cyber attacks become more sophisticated, our defence also needs to become more sophisticated. Failing to plan is planning to fail, and with the ever-increasing reliance on IT, organizations cannot afford not to be over-prepared. The rising access of AI powered technology that enables the development of malware, scripting and other tools, provide hackers with the ability to manufacture near perfect ways to execute on their plans, with very little effort. The ultimate goal: highly lucrative ransom
< Page 8 | Page 10 >