Blogs
Our European GRC Summit Roadshows and the Instagram of Risk
- Artificial Intelligence
- 02 November 21
4 min read
Introduction
Talk about roundtrips…. In-the same week of a very successful 2021 GRC virtual summit on the 19 and 20 of October, where MetricStream had over 2500 customers, prospects, and partners registered to learn, participate, and share their experiences around GRC, IRM, and everything in-between, we decided to host three physical summits based in London, Copenhagen, and Zurich to continue the conversations with our community.
All three locations had a boardroom style setting dedicated to a round table discussion. The aim was simple, we would listen to what our community had on their mind. It was an opportunity to find common synergies, lead round table discussions, and network with senior risk professionals that are paving the way in this industry.
With representation from risk, compliance, audit and IT Cyber, the discussions were captivating, and the commentary was electric.
London Calling
The first of the events started off in London, and we had a great mix of customers, partners, and prospects around the table.
Our CEO, Bruce Dahlgren introduced the session, and it was an engaging group that shared their thoughts and concerns around the current themes and trends.
Alongside the presentations, our partners gave a short speech on the success of collaborating with MetricStream to provide business benefits for our risk community. What followed was an insightful roundtable discussion that covered risk quantification, cyber security, and the need for organizations to lead with purpose.
It did not take long for ESG to make an appearance and quite rightly so, with COP26 on the agenda and the link to compliance, organizations that have a purpose and are aligning to social governance, diversity, and climate change are setting a precedent. MetricStream recently launched the ESGRC product, which enables organizations to define and manage ESG standards, frameworks, and disclosure requirements. There was a lot of excitement on this in the room.
Emerging risks and third-party risks were explored in detail. With recent supply chain disruptions, it became even more apparent how peripheral risks had to be managed.
Dinner followed, and the conversations (like the wine) continued flowing. It was delightful to see customers connecting with customers. It was evident that they all thrive in this environment and that it was clearly something they had sorely missed over the last 20 months.
Cycling through Denmark
We settled in for another topical roundtable discussion, where the thoughts and real-life examples of how technology is an enabler in the GRC space were deliberated. In some instances, the dialogue went back and forth. One example of this was that the concern organizations face with risk was not always a technology one, but more of a transformational project that the organization needed to resolve. Accompanying this, was the remark that there are inconsistencies in risk terminologies across the industries, which fuels part of the problem. It was also surprising (to me) to learn that there were still so many organizations using spreadsheets to manage their risk. This was their default way to identify, monitor, and track risks, even though they knew it was not sustainable, efficient, or scalable.
The need for AI and ML to automate risk attributes was the next topical point. The comment was made that AI techniques recognize pattens and trends to help alleviate the pain, time, and missing information that humans cannot always detect, but how do you know that AI is doing the right thing. This conversation continued into the evening, accompanied by food and drinks.
High-End Shopping in Zurich
And finally, concluding the week in Zurich, we had another full house with an engaging group that deliberated on how they can start a community of risk or as was suggested, the “Instagram of risk”. There were discussions around risk culture, accountability, accurate data, and mindset. Some customers admitted that it was quite possible to get lost in the data and what they require is speed, agility, and most of all simplicity. A comment was made that you could spend all your time managing documents and not the risk. Another referenced that as change management sits in all departments including HR and legal it can be a challenge to bring it all together for larger organizations. Crypto also made it in the discussion, with a notable mention that new risks have no historical data to base it on.
Visibility and accountability were front of mind in the discussions, and a common theme that was mentioned was on reporting risks up to the board of directors and the role of the board in risk governance.
MetricStream presented 5 current trends that we are observing in the industry and 5 innovation themes that we are leading the way with (API, AI, Adoption, Agility & Analytics).
By bridging the gap and driving value for the community, MetricStream has a purpose to continue to add value and innovate alongside our community. We want the community to thrive on risk and reap the rewards of being on a GRC journey that like a good bottle of wine gets better with age.
Until the next summit.
Jump to Topic
Related Resources
Blogs
Towards Cyber Resilience: NIST’s Cybersecurity Framework for Ransomware Risk Management
- GRC
- 21 October 21
4 min read
Introduction
The number of ransomware attacks on organizations around the globe is growing at an exponential rate with no signs of slowing down. According to Check Point, ransomware attacks grew by 102% in the first half of 2021 compared to the beginning of 2020.
Cybersecurity Ventures expects ransomware to attack a business, consumer, or device every 2 seconds by 2031, up from every 11 seconds this year, and estimates ransomware damages to cost the world $265 billion by 2031. To operate in this precarious digital landscape, organizations today must go the extra mile to ensure that their cyber defense mechanism is robust and effective.
In the wake of the significant surge in ransomware attacks, the National Institute of Standards and Technology (NIST) has published a new draft on “Cybersecurity Framework Profile for Ransomware Risk Management” that sets out its guidance on how organizations can prevent, respond to, and recover from ransomware attacks.
The document details basic preventive steps to protect against the ransomware threat, including using antivirus at all times, keeping computers fully patched, continuous monitoring, segmenting internal networks, educating employees about social engineering, assigning and managing credential authorization, and many more.
The Five Cybersecurity Framework Functions
NIST has classified Cybersecurity Framework Functions into five categories: Identify, Protect, Detect, Respond, and Recover, and has suggested key measures under each of these functions to protect against ransomware threats.
Identify - This is the first step and the foundation for the rest of the framework. It requires developing an organization-wide understanding of systems, people, assets, data, and capabilities, and the associated cybersecurity risks. Some of the key suggestions made by NIST under this head include:
- Creating, reviewing, and maintaining an inventory of all organizational data, personnel, devices, systems, and facilities
- Prioritizing organizational resources based on their classification, criticality, and business value
- Establishing cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders
- Cataloging and mapping internal and external communications and data flows
- Developing a comprehensive communication strategy that details the action plan in the event of an attack
- Effectively managing legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations
- Establishing and managing risk management processes agreed to by organizational stakeholders
- Conducting response and recovery planning and testing with suppliers and third-party providers
Protect – This function is critical to limit or contain the impact of a potential cybersecurity event and involves implementing appropriate safeguards to ensure the delivery of critical services. Some of the key measures include:
- Documenting and managing identities and credentials for authorized devices, users, and processes
- Managing remote access to maintain the integrity of systems and data files
- Effectively managing access permissions and authorizations, incorporating the principles of least privilege and separation of duties
- Providing cybersecurity awareness education and training to employees
- Managing information and data in a manner consistent with the organization’s risk strategy
Detect – This function requires the implementation of appropriate activities to identify the occurrence of a cybersecurity event and enables timely discovery of cybersecurity events. Some of the key suggestions include:
- Detecting anomalous activity and understanding the potential impact of events
- Continuous monitoring of information systems and assets
- Maintaining and testing detection processes and procedures to ensure awareness of anomalous events
Respond –Once a cybersecurity incident is detected, the Respond Function is important to take appropriate action and measures to contain the impact. NIST recommends:
- Executing and maintaining response processes and procedures to ensure a response to detected cybersecurity incidents
- Coordinating response activities with internal and external stakeholders
- Conducting analysis to ensure effective response and support recovery activities.
- Performing activities to prevent the expansion of an event, mitigate its effects, and resolve the incident
- Continuously improving organizational response activities by incorporating lessons learned from current and previous detection/response activities
Recover – This involves implementing appropriate activities to maintain plans to restore any capabilities or services that were impacted in a cybersecurity incident and helps an organization’s timely recovery to normal operations. Key measures include:
- Executing and maintaining recovery processes and procedures to ensure restoration of systems or assets affected by cybersecurity incidents
- Improving recovery planning and processes by incorporating lessons learned into future activities
- Coordinating restoration activities with internal and external parties
How MetricStream Can Help
MetricStream welcomes the ransomware guidance from NIST. Such practical frameworks can considerably help CISOs and security teams to develop an effective cybersecurity strategy from the ground up and evaluate their existing strategy for any gaps or loopholes.
The MetricStream IT and Cyber Risk and Compliance solution is aligned to the capabilities detailed in the NIST guidance. It helps organizations to proactively anticipate and minimize IT and cyber risks, threats, vulnerabilities, and multiple IT compliance requirements. The solution cuts across enterprise siloes by facilitating harmonization between various functions and aggregating information and providing a 360-degree, real-time view of IT risk, compliance, policy management, and IT vendor posture. It also enables enterprises to execute and manage an effective business continuity and disaster recovery program. To request a personalized demo, click here.
Jump to Topic
Related Resources
Blogs
Frameworks to Consider for Cybersecurity
- IT Risk & Cyber Risk
- 09 September 21
4 min read
What are the Top 3 Takeaways after I’ve Finished this Article?
- What are the controls that should be implemented to have a robust Information/Cybersecurity program?
- How should organizations prioritize Information/Cybersecurity risk?
- Standards that can be used as guidance in creating even better Information/Cybersecurity programs
What is the Difference, if Any?
Information Security includes protecting classified information in all forms that must be protected including, but not limited to: paper documents, photos, media, spoken information, and electronic data. Cybersecurity is a component of Information Security pertaining to the protection of critical systems such as the network and computer systems in order to ultimately protect electronic data from attacks. In creating a robust Information/Cybersecurity program, the standards treat Information/Cybersecurity as a cohesive topic.
Some organizations have put more of their resources into Information/Cybersecurity and hardening the technology because of the increase in ransomware and breaches. They are forgetting about the importance of also managing the data itself through governance and risk assessments, unless required by a regulation or standard that they must be compliant with.
Information/Cybersecurity threats are a key concern and mitigating risks is critical. At the same time, protecting data from internal sources that wish to affect the confidentiality, integrity, and/or availability of data is of prime importance.
In order to manage the risks, policies should be created and approved by top management as part of Governance. An Information Security risk assessment should be conducted in order to assess the potential consequences if vulnerabilities were to be exploited. As part of the process, Information Security risk owners should be identified.
Information Security risk treatment should consider the findings of the risk assessment.
Awareness training is essential in order to mitigate against employees unintentionally affecting the Information Security of the organization.
Guidelines to Consider
There are many guidelines and different industries have their own requirements, but ISO (International Standard Organization) Standards and NIST (National Institute of Standards and Technology span across most industries as additional if not the primary guidelines they wish to implement. The best framework is to include a combination of the different standards into your existing framework as opposed to just choosing one standard to follow.
ISO
International Standards Organization 27000 family pertains to protecting all Information Security assets. These standards include guidance for Cyber Security as well.
ISO/IEC 27001:2013
According to ISO.org, ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.
ISO/IEC 27002:2013
According to ISO.org, ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation, and management of controls taking into consideration the organization's information security risk environment(s).
ISO/IEC 27003:2017
According to ISO.org, ISO/IEC 27003:2017 provides explanation and guidance on ISO/IEC 27001:2013.
ISO/IEC 27032:2012
According to ISO.org, ISO/IEC 27032:2012 provides guidance for improving the state of Cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains, in particular: information security, network security, internet security, and critical information.
In addition to these three ISO standards, the ISO 27000 family of standards includes many additional standards including:
- ISO/IEC 27004:2016 which pertains to metrics and monitoring and measuring the information security management system.
- ISO/IEC 27005:2008, pertaining to Information security risk management
NIST
The Cybersecurity Framework consists of standards, guidelines, and best practices to manage cybersecurity risk. The Framework integrates industry standards and best practices to help organizations manage their cybersecurity risks.
SP 800-53 Rev. 5
Security and Privacy Controls for Information Systems and Organizations Per NIST, this publication provides security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.
Conclusion
It’s critical to have Information/Cybersecurity as part of your culture so that all employees are consistently aware and can help protect the organization’s Information / Security assets. Organizations can implement both ISO and NIST controls in perfecting your program, as well as those found in industry regulations, standards, and guidelines.
Jump to Topic
Related Resources
Blogs
Power What’s Next in GRC with MetricStream’s Brazos Software Release
- Compliance Management
- 19 August 21
3 min read
Introduction
The demands and requirements of businesses to thrive in the new normal have changed drastically. Buzz words like agility, digitization, and resilience are no longer just business aspirations but have become necessary and fundamental for the readiness of organizations to address any risk event, including high-impact, low-frequency events such as COVID-19. With the latest Brazos release, we are delivering a myriad of innovations to support organizations in their journey to achieve their business goals and power through the current unsettled operational environment.
Brazos builds upon the previous Arno release and includes key innovations in areas including regulatory compliance, cyber risk quantification, and vendor risk management. The objective is to make the processes simpler, smarter, and more streamlined.
Simplifying Regulatory Complexity
Given the complex web of regulations, along with the escalating number of regulatory change alerts that organizations are bombarded with every day, it has become imperative to simplify the compliance function to make it more efficient and systematic. On these lines, the Brazos release brings new capabilities to our regulatory compliance products, including:
- Fully packaged, real-time curated regulatory intelligence from 1,000 supervisory bodies and 2,500 collections of regulatory/legislative materials facilitating efficient management of regulation overload.
- Certification and sub-certification processes enabling the creation of accountability chains.
- Contextual intelligence on policies allowing compliance teams to easily identify the policy section related to regulations, risks, and controls.
- Artificial Intelligence (AI)-powered action plan recommendations based on semantically similar compliance issues reported in the past for quick and easy resolution.
- Multiple enhancements to the Mobile App that simplify searching policies, tracking regulatory changes, and managing compliance assessments and regulatory engagement activities.
Quantifying the Impact of Cyber Risks
Cyber risk quantification, or quantifying cyber risks in monetary terms, is critical for cybersecurity professionals today to effectively communicate the cyber risk exposure to the top management and board. By understanding the potential impact of cyber risks in dollar values, decision-makers are better positioned to prioritize IT cyber risk spending, resource allocation, and establishment of optimal controls.
Brazos brings advanced cyber risk quantification capabilities to IT and Cyber Risk Management, enabling cybersecurity teams to leverage the industry standard FAIR methodology to quantify their cyber risks in monetary value. In addition, advanced Monte Carlo simulation capabilities help upgrade the assessment teams’ guesstimates into accurate predictive values of the cyber risk exposure.
Powering Next-Gen Vendor Risk Management with AI
Managing risks associated with the extended enterprise quickly and efficiently is crucial for ensuring continued business operations. Supplier networks of organizations today are comprised of hundreds and thousands of third, fourth, and subsequent parties. A manual approach to review third- and fourth-party documentation, including reports, certificates, and evidence, to spot any discrepancies is time-taking and prone to error.
We are addressing this challenge by bringing the benefits of artificial intelligence (AI) and automation to Third-Party Management with the latest release. MetricStream’s AI engine automatically scans through the documents submitted by the third parties, validates the content, highlights any anomalies, and automatically recommends risks scores based on the number and type of anomalies found. This real-time intelligence equips risk teams to accelerate analysis and mitigation of third-party risks.
With Brazos, we are setting a new standard by implementing AI into multiple GRC products, empowering risk, compliance, security, and audit professionals to better perform their roles and responsibilities. The release also provides a simplified user experience and enhances agility for faster time to value with:
- High configurability capabilities across the MetricStream Platform.
- Enhanced frontline capabilities to anonymously report compliance cases.
- Improved mobile capabilities for regulatory compliance, IT compliance, and audit.
- Content Integration Service that leverages REST APIs to import content from external sources.
- Better collaboration and improved cross-referencing in audit workpapers within Microsoft Word.
We are constantly striving to make your GRC journey exciting, enriching, and fun. The latest software release is guided by our key tenet of helping organizations accelerate sustainable growth with risk-aware decisions. The new features and functionalities extend the capabilities of MetricStream Platform and products and will enable you to meet the evolving business needs in this digitized world.
To know more about Brazos Release features, click here.
Jump to Topic
Related Resources
Blogs
Organizations Look to Adopt Integrated IT GRC Solutions to Ward Off Cyberattacks, Survey Finds
- IT Risk & Cyber Risk
- 29 July 21
3 min read
Introduction
Cyber risk has undoubtedly moved up the priority list and taken the center stage in boardroom discussions with the rapid pace of digital transformation of organizations and amplified data-dependency and interconnectedness. The COVID-19 pandemic and the resulting remote working environment have only aggravated the challenges for security teams as the entire workforce moved home—beyond the reach of the office firewall. In these unprecedented times, ensuring robust cyber defense infrastructure to protect critical assets is of paramount importance.
We recently conducted a survey to take a pulse of the current state of IT and cyber risk management programs at organizations. Here are the key takeaways from the survey:
- Most survey respondents (45%) identified a lack of visibility on cyber risks across the enterprise as the major challenge faced by their organization.
- A majority of organizations (83%) still depend on basic office productivity software, knowledge management software, and point solutions for their cyber risk management requirements. The implementation of an integrated IT GRC solution is at a low level across industries.
- Only 28% of the respondents said that their organization's cyber risk and compliance program is fully aligned with the broader enterprise risk and compliance management programs.
- Most respondents (45%) said that they changed their plans and approaches to cyber risk and compliance management and reprioritized their activities to contend with the pandemic-driven new operational landscape, while 33% of the participants said they deployed new tools and systems to enhance their efficiency.
- 41% of the respondents said that they are going to implement specific solutions in FY 2021 to ensure compliance with regulatory requirements and standards.
- 30% of the respondents said that they are interested in implementing a centralized cyber risk and compliance solution.
It is encouraging to see that switching to digitized and centralized GRC solutions is among the top priorities of organizations this year. These solutions can help improve risk visibility and foresight, facilitate continuous monitoring of IT and cyber controls, and streamline overall cyber risk and compliance management. Innovative features, such as support for mobility, real-time reporting, advanced risk analytics, regulatory notifications, and more, further assist executive management and board in quick and efficient decision-making.
“The ultimate goal isn’t to avoid cyber risk but rather transforming it into strategic advantage—because things can and will inevitably go wrong at some point. But if organizations build their cyber resilience—the ability to not just prevent cyberattacks but also minimizing the impact of security incidents and ensuring continued business operations in the aftermath of attacks—that’s when they can truly thrive and create business value,” an excerpt from the report reads.
Cyber Risk to Dominate Risk Strategies
Our flagship event, GRC Summit, was held recently and brought together the best in the industry to share risk management strategies and best practices, and how to build better governed, more risk-aware, compliant, and resilient enterprises that thrive on risk.
Unsurprisingly, cyber risk has emerged as one of the top risks faced by organizations today, and risk leaders believe that it will continue to dominate the risk strategies going forward. To that end, security experts discussed some of the key considerations for ensuring a robust cybersecurity program:
- Aligning cyber strategy with business goals and objectives.
- Positioning CISO and security leaders at the right level so that they can better focus on their core responsibilities.
- Ensuring that CISOs and the security team provide frequent updates on the cybersecurity posture to the board so that there is no communication gap.
- Quantifying cyber risks for prioritizing risks and controls and determining how much to spend on each control.
- Increasing transparency into employee communications so that they have clarity not only on corporate policies but also how a crisis is being managed
The best-prepared organizations in the world today are those that use risk as their competitive advantage. Quantifying cyber risks in a manner that makes sense to the executive board and helps them make sound cybersecurity investment decisions is critical for organizations to thrive in today’s digital world. The Cyber Risk Quantification capability of MetricStream IT and Cyber Risk Management can make it considerably easier for organizations to quantify cyber risks in monetary terms, which can then be easily communicated to the top management and board.
To download the report, click here. To watch the summit, click here.
Jump to Topic
Related Resources
Blogs
Making the Right Investments by Quantifying your Risks
- IT Risk & Cyber Risk
- 22 July 21
3 min read
Introduction
Organizations today need to optimize their risk rather than focusing on avoiding the risk – to know which risk should be accepted to enable business success and create value.
When it comes to cyber risks, one of the biggest challenges security professionals face is communicating the associated financial impact to the decision-makers. Assigning a dollar value to cyber risks will better equip the executive management and board to prioritize the risks, drive a stronger alignment between business priorities and cyber investments, and ultimately, make risk-aware decisions.
At MetricStream GRC Summit June 2021 Edition, Gavin Grounds from Verizon joined us for an exciting discussion on how organizations can thrive on risk to get a competitive edge.
In this blog, we have highlighted the interesting points from the discussion on how quantification can help in making the right security investment decisions.
What are some of the key challenges?
Regardless of whether it is a large organization or a small, one of the common challenges across all organizations in the area of cybersecurity is prioritization, Gavin said.
Organizations today face thousands of risks and a key challenge is to ascertain which of those is the biggest priority. Likewise, they might have hundreds of controls and they need to define the importance of these controls and determine how much to spend on each control. Every dollar they spend on these controls should be justified with the benefits/advantages realized. Because they have a finite budget, they need to use it in the most optimal manner.
How to start with Cyber Risk Quantification?
The primary objective for the CISO is to drive overall risk down and drive better-informed business decisions. And, cyber risk quantification can greatly simplify the process by quantifying risks in monetary value. As an example, suppose you got a business opportunity of $100M with $1M cyber risk, you can easily see the overall value of $99M and make your decision to go ahead or not. But if you represent your cyber risk in a way like 3 are critical, 5 are high, and 3 are mid risks, in that case, it's difficult to calculate the overall business value of that business opportunity and you might miss the first-mover opportunity on that business.
Prasad Sabbineni, EVP, Product at MetricStream, added that CRQ is the natural extension of the quantitative assessment (high, mid, and low-risk heatmaps) that organizations have been doing as all these factors serve as input to the model to calculate the dollar value of the associated risk. When asked about how organizations can start with CRQ, Prasad suggested that organizations can start small – select key risk areas and apply this quantitative technique to see the results. Once they understand the results and their value, they can gradually expand to other risk areas.
How MetricStream helped one of the largest telecom companies in their decision making
With MetricStream Cyber Risk Quantification (CRQ), a U.S. telco giant was able to make their cybersecurity decisions 50% faster by quantifying the dollar Impact of cyber risks.
MetricStream helped the company harmonize its risk management techniques and methods by driving towards a common risk score across cyber, operational risk, and resilience teams. This score is based on consistent factors and is grounded in a business context.
This combined risk score helps cyber teams accurately weigh the cost-benefit of either a single risk mitigation strategy or a combination of them. It also helps them increase the agility and speed of remediation efforts. MetricStream also provides a top-down and bottom-up 360-degree view of cyber risk.
Top-down views take risk assessment information from the business in terms of dollars—for example, how much it costs to keep an order processing system up and running. Meanwhile, bottom-up views provide data on the costs of mitigating vulnerabilities.
Conclusion
CRQ is important for every organization irrespective of the size and industry. With the interconnected fast-paced digital economy, organizations are exposed to many new risks. Prioritization and communication of risk will help in better decision-making and provide a competitive advantage in the market.
Jump to Topic
Related Resources
Blogs
Cyber Resilience in 2021
- IT Risk & Cyber Risk
- 09 July 21
3 min read
Introduction
Resilience is the ability to adapt to change and respond quickly and effectively. Cyber resilience is more than just preparing—it is ensuring that your business will still thrive in an attack. Too many organizations only concern themselves with ensuring that they have a SIEM (Security information and event management) and or SOC (Security operations center) in place. This is of course very important, but it will not ensure reliance in the event of an attack.
[Read More: Resilience Management as The New Paradigm for Cybersecurity]
Resiliency requires so much more. Risk assessments should include how vulnerable the business itself is there is a breach or ransomware attack. What confidential information could impact the business if it were to be breached? Some examples include blueprints for a new product design that is going to be launched or plans to purchase another organization.
In addition to a SIEM and SOC, the business units should also be trained on recognizing irregularities that could signal that the integrity of data has been affected. They also need to know how to report it so that the event can be investigated.
Each business unit needs a cyber response plan to allow for resiliency. There have been many organizations that were not able to respond effectively to a ransomware incident. A business unit cyber response plan is different than the business continuity response plan. It includes action steps of each business unit will follow when they are affected by a cyberattack.
The organization also needs a great cybersecurity incident response program, which includes policy and program documentation as well as playbooks for insider threat activities, regulator audits, lapses on data governance, and cyberattacks that are applicable to their domain.
[Read More: Four Key Areas to Achieve Cyber Resilience]
ISO 22316 Security and Resiliency Management and ISO/IEC 27035 Incident Response are two of the recommended standards to consider implementing as part of an organization’s cyber resiliency preparation. ISO/ IEC IT Corporate Governance is a good guideline for senior management and the board to implement in order to avoid hefty fines for poor governance. MetricStream enables organizations to align with established standards, empowering with pre-packaged content for necessary frameworks, making the solution up and running on Day 1.
Business continuity management and information/cybersecurity have to be more aligned in identifying risks. The business units understand what information they have in a database that is more likely to be sought in a cyberattack. Business continuity departments should include questions in their risk assessment surveys and interviews pertaining to what information does each business unit has that is PII or PHI or organizational confidential and work with disaster recovery teams to document which databases it resides.
While a business continuity plan may list an application as tier 1, in an incident where a database has been attacked, the cybersecurity teams may not release it in recovery when the business units need it. Cyber teams may need to do forensics or if they deem that there is malware the backups may need to be checked before they can be used. For instance, in the case of an attack was made months ago, even if just identified, all of the backups from the time of the attack may also be affected.
In summary, a good cyber governance program is needed coupled with a good cyber resilience program.
[Read More: CYBER RESILIENCE BEST PRACTICES: Connecting the Dots beyond Cybersecurity]
Jump to Topic
Related Resources
Blogs
Kaseya Ransomware Attack: Is Your Organization Prepared for Third-Party Cyber Risk?
- IT Risk & Cyber Risk
- 07 July 21
3 min read
Introduction
Yet another cybersecurity incident has highlighted the vulnerabilities of the extended enterprise. Just ahead of the Fourth of July weekend, up to 1,500 businesses worldwide fell victim to a ransomware attack centered on U.S. information technology firm Kaseya.
Understanding the Kaseya Ransomware Attack
What happened:
Kaseya is a provider of IT and security management solutions for managed service providers (MSPs) and small to medium-sized businesses (SMBs). In a statement dated July 05, the company said that its VSA product was compromised in a sophisticated cyberattack, allowing the hackers to cripple the end customers with a massive ransomware attack.
Who is responsible:
As per reports, hackers from a cyber adversary group, REvil—the threat actors who were purportedly also behind the ransomware attack on JBS last month, were able to compromise one of Kaseya’s tools. They have reportedly demanded $70 million to restore the data.
The impact:
In a press release, Kaseya said, “While impacting approximately 50 of Kaseya’s customers, this attack was never a threat nor had any impact to critical infrastructure...Of the approximately 800,000 to 1,000,000 local and small businesses that are managed by Kaseya’s customers, only about 800 to 1,500 have been compromised.”
In a statement, the U.S. Cybersecurity and Infrastructure Agency (CISA) said that it was taking action to “understand and address the recent supply-chain ransomware attack against Kaseya VSA”, adding that it “encourages organizations to review the Kaseya advisory and immediately follow their guidance to shutdown VSA servers.”
The UK's National Cyber Security Centre also issued a statement saying that they are “working to fully understand this incident and mitigate potential risks to the UK.”
The Growing Third-Party Cyber Risk
Security breaches via third parties are growing at an alarming rate both in terms of volume and sophistication. The major underlying reasons are the growing reliance on third parties for mission-critical goods and services and the amplified digital interconnectedness of organizations, further spurred by the COVID-19 pandemic.
The SolarWinds hack, the security breaches at Microsoft and Accellion, and now Kaseya, underscore the increasingly precarious digital environment businesses operate in today and how a security incident at one organization can quickly travel and paralyze several other connected businesses. According to the 2021 Ponemon Institute report, more than half of the survey respondents said that their organization has experienced a data breach caused by third parties.
Technology-Driven Approach to Third-Party Risk Management (TPRM)
Organizations today need to be proactive regarding the management of their third-party relationships and extended enterprise. Here are few key considerations for an effective TPRM program:
- Establishing a common nomenclature for onboarding, assessing, monitoring, and off-boarding third parties and centralized repository of all related information
- Ensuring clear and comprehensive documentation with well-defined clauses that provide clarity to third parties on what they need to do, including how to handle sensitive data after the contract has terminated.
- Implementing an effective third-party onboarding process which will help ascertain if the third parties are financially stable, secure, regulatory compliant, and more.
- Categorizing the third-party vendors based on the extent of their access to critical assets and impact on an organization’s margins and profitability
- Ensuring efficient fourth-party risk management to ensure visibility into the portfolio of the fourth and subsequent parties, identify the critical ones, and perform due diligence and raise red flags on an ongoing basis
A technology-based TPRM solution, embedded with these capabilities, can considerably simplify, structure, and streamline managing the entire third-party lifecycle—from their onboarding to contract termination. This approach will help organizations enhance their visibility into the risks posed by the third and subsequent parties and accelerate responses to risk events.
MetricStream helps organizations effectively manage third-party risks with its Third-Party Risk Management product. Its key capabilities, including Continuous Third-Party Monitoring, Periodic Third-Party Due Diligence, Intuitive Dashboards, and Reports, empowers organizations to protect their business from existing and potential threats from third parties, as well as strengthen resilience, contain costs, and optimize business performance. To request a demo, click here.
Read More: Boosting Third-Party Risk Management in a Time of Uncertainty (eBook)
Jump to Topic
