A real life case study

- Advertisement -

During day two of the Computing Cyber Security Festival, Sam Woodcock, Senior Director of Cloud Strategy at 11:11 Systems and and Goher Mohammad, Group Head of Information Security at L and Q Group discussed the origins and impact of a cyber-attack that L & Q recently experienced, via one of their third party relationships. We’ve all read the playbooks for these scenarios but real life can unfold rather differently.  

Goher Mohammad explained what happened.

“We had a situation where a third-party supplier was hit by an extortion attack. L & Q are a social housing providers and we need to conduct works on our homes. The company concerned provide a platform for that. As a partner, this third party was in receipt of L & Q data. An attacker infiltrated their environment and compromised their network.

“This meant our services were impacted. We had done due diligence and weren’t directly impacted, but the third-party compromise meant that we were operationally impacted. We’re in this wonderful new world where we work with SaaS and other cloud providers to give us agility but it also means we’re at risk if they don’t do due diligence.”

This story illustrates the extent to which third party supplier and partners can increase the risks facing organisations. How best to evaluate these risks?

“Third party assessments are absolutely critical, said Mohammad. “We need to treat third parties the way that we’d treat our own systems and solutions. We can’t assume they’re going to do a good job. They are an extension of our own technology offering and service.

“Partners get frustrated when we hit them with a detailed questionnaire but ultimately it’s critical because it  gives you an understanding of where they are. If organisations don’t conduct those assessments and the worst happens it’s going to be very difficult to explain yourself to regulators, auditors and investors if something goes wrong.”

Sam Woodcock agreed, and said that spending time in this due diligence phase would ultimately pay off, even if it slows down the initial engagement.  

“As an MSP,  we spend a lot of time with our compliance teams and security teams helping build confidence and working through those questionnaires and digging deeper into the individual elements you might want more information on. You need to have that trust and partnership and to me it defines whether it’s a partner you really want to work with.”

Agility of response is crucial 

Goher Mohammad used a very famous quote by the boxer Mike Tyson, to illustrate the importance of an agile approach when dealing with cyber security incidents.

“Everyone’s got a plan until they get punched in the face. That’s never truer than when you’re dealing with an incident, whether it’s your incident or a third party. When we were affected, it was every man and woman for themselves to try to understand what had happened, why and how we got back to operations because it was affecting one of our core services.

“We had a plan but when you’re still at the pilot stage and it’s a new third party, you’re still developing the business continuity plan for that service. You don’t plan that months ahead of time. For me one of the key takeaways is that you have to be agile because we were finding out information as part of this incident. We knew we provided a subset of data to that third party. We asked them to verify the data that they held about us. When they provided that, it wasn’t what we expected. It just wasn’t in the playbook. It is now but the next incident might be completely different.” 

Both Mohammad and Woodcock agreed on the necessity of expecting the unexpected and avoiding wasting time by fighting your own playbook as you respond. Woodcock talked about the importance of a multi-layered approach to security.

“At 11:11 we have that multi-layered approach. When we look to define that approach we look to industry standards like NIST framework for security which provides a defined, staged approach to security. If you haven’t got a cyber security resilience strategy look to industry frameworks and align technology partners to help you along that journey.”

However, Mohammad issued a word of caution against becoming too rigid as a result of sticking too closely with a framework.

People can get very fixated on frameworks but remember that they’re frameworks not mandates.”

The best way to get to the right place is to understand your organisation and adopt the right elements of each framework. According to Mohammad, there is no one size fits all framework.

“With our own incident we were very honest and open with our clients. I recommend being honest after an attack because people are more understanding than you think. We reached out to more than 60,000 residents and only 20 people got back to us to express concern. Being honest and open helps with the reputational impact.”

Certainly, some very high-profile attacks in recent years have lingered in the public imagination at least partly because the companies concerned failed to be up front with the customers who had data compromised. Having information dragged out of you by the media or via legal action taken by those affected isn’t a great look.  

As Woodcock noted:

“If something does happen and you let it linger and don’t warn people that they can be impacted themselves it can create a double hit on reputation.”

Closing thoughts from the pair covered the importance of relationships across a business – security doesn’t begin and end with security teams. It’s a cliché, but the security tripartite of people, process and technology is there for a reason.  

This holistic and collaborative approach should be extended third parties, because ultimately, it’s your brand on the line.

 

 

 

 

 

 

 

Source link

#real #life #case #study

- Advertisement -

Related Articles

Latest Articles