As part of the Forensik Conference 2020, he leaded a roundtable for raising awareness among companies about the various risks incurred when their IT supplier is the victim of a cybersecurity incident. With the contributions of Laure Bonnave, Lawyer at Clyde & Co, Othmann Layati, Cyber Risks Manager at Beazley Canada and Jean-Simon Gervais, Cyberinvestigation Expert, he wished to address the likelihood of such event by introducing you to the key questions to ask, from legal, cyber insurance and technical points of view. Their statements should help with the validation that you have the right IT partner, thus strengthening your cyber resilience.
Following are 3 key points to remember:
Indirect cyberattacks: a threat not to be underestimated
So-called indirect cyberattacks have multiplied in recent years. Hackers are increasingly exploiting the trusted relationships established between partners to access the information they covet.
Many organizations rely on the skills of their IT provider to manage their systems. They will develop a relationship of trust in the belief that the security of their information systems and data is in good hands, when delegating the responsibility to experts. But did you know that IT providers are amongst the cybercriminals most common? So indirectly, your organization could be a victim.
Whatever the size of your company, the threat is real.
It has become difficult to get through the front door of large corporations. The cyberattackers have therefore started to break into IT suppliers, where the security measures may be weaker, and then reach the targeted company.
And just because you work in an SME does not mean that your organization could be spared. Indeed, depending on the number of customers that your IT supplier has, this partner becomes an attractive prey for the hackers.
While the services provider model allows you to match with your specific business needs, it introduces other types of risks that can be fatal to your organization.
What are the risks should your IT suppliers be the victim of a security breach?
For example, in the event of a ransomware attack on your IT supplier, cybercriminals very often will make sure to exfiltrate the data of the targeted company, and consequently your own data as well, prior to encrypting them and then claiming a ransom.
The risks are high in the event of a cyberincident at your IT supplier because hackers could subsequently attack your organization as well, by breaking into your systems to access your sensitive data: banking information, patents, employees, clients and partners personal information, before exfiltrating and encrypting it in turn.
This is a chain reaction that can generate a real disaster.
Other scenarios are possible such as an insider threat or a competitor trying to steal data.
How to prepare for and reduce the risks to your organization in the event of a cyberattack on your managed IT service provider?
Do you know how ready is your IT partner when facing such scenario? Will you be treated first or last? What will happen to your data? These are all questions to ask yourself to ensure that you are working with the right IT provider.
Matthieu recommends keeping separate the provided service from the cybersecurity risk assessment. When dealing with several partners, you must refrain from putting all your eggs in the same basket.
You need to make sure that your partners have implemented the right security measures and adopted best practices in the event of an incident. Remember, in the event of a cyberattack, every minute counts in order to reduce the risks for the organization and its stakeholders.
It is therefore important to have contractual levers to receive all the information: incidents, issues raised in the management of data security, …
For example, access to audit reports will enable you to ask the right questions about information that is reliable and thus properly evaluate your partner.
You should also verify that your provider is covered by a cyberinsurance. From a contractual point of view, this is an essential element to take into account. There are different types of insurance policies. Basic coverage would cover all the costs associated with responding to a cyberattack: legal experts, press relations, customer service, call center and of course the specialists who will help you get back on your feet.
Matthieu also recommends implementing protocols such as:
- cybersecurity incident management and response plan;
- business continuity plan;
- disaster recovery plan.
Another point and not the least. In a cloud model, you still have the responsibility to protect your data. Yes, you are delegating but you remain responsible for data leaks, loss of services and other negative impacts. It is up to you to properly configure your environments in the cloud and the accesses by setting up two-factor authentication among many security measures.
Should you need support to assess your partners and your IT supplier, or should you want assistance to help you prepare your cyberattack response plans, business continuity plan or disaster recovery plan, we invite you to contact us.