Five Reasons Why Your IT Outsourcer Isn’t Keeping You Cyber Secure (and neither is your internal IT team)
Posted on 08.11.17
By Chris Moschella, Senior Manager, Risk Advisory Services | Keiter Cybersecurity Team
Why do we care about cybersecurity in our businesses? First and foremost, cyberattacks result in corporate losses. Some of the most common forms of loss stem from:
- ransoms paid
- accidental fund transfers from wire fraud scams
- stolen data resulting in the purchase of credit monitoring
- fines from regulators
- lost customers and employees from brand damage
- litigation costs
… and the list goes on.
Of course, we also care about cybersecurity because it is the right thing to do. At Keiter, we actually like our clients. Imagine that! Our kids play sports with our clients’ kids, we participate in the same industry groups, and we live in the same neighborhoods. We do our best to protect our data because it is in our own financial interest—and it is just the right thing to do to protect our clients.
So, whose job is it to protect client data?
At Keiter, our IT team obviously has a huge role in defending the organization. They are responsible for ensuring we have appropriate technical defenses against intrusion, for example, the configuration of firewalls, secure networking, and anti-virus.
“It is a mistake to think that your IT team or
IT outsourcer alone can keep you secure.”
Many organizations have the mistaken presumption that cybersecurity is entirely the responsibility of the IT team and the outsourcer. The reality is that cybersecurity is equal parts corporate governance, technology/people/process, and legal/insurance considerations. Quite simply, it is a mistake to think that your IT team or IT outsourcer alone can keep you secure.
Here are five activities your IT support are unlikely to do yet are critical to organizational security.
1. Corporate Governance
Cybersecurity is complex for a variety of reasons. There is an enormous technological challenge, but there is also organizational and management challenge to manage those technological challenges. For example:
- Whose responsibility is it to patch Windows? How often is that person supposed to deploy the patches? Who is monitoring to ensure patches are deployed timely?
- Whose responsibility is it install and update anti-virus applications on user computers? How often are virus definitions updated? Who is notified if a virus is discovered? How does the organization respond if there is a virus?
- Whose responsibility is it to ensure data is backed up? Whose responsibility is it to ensure that the cloud backup provider has implemented good security practices? Whose responsibility is it to test backups periodically to ensure critical systems can actually be brought back online? How frequently must those tests occur? Who reviews the results of those tests?
These types of questions should be outlined in company policies and procedures. Believe it or not, creating all that paperwork does actually serve a purpose.
Though no guarantee, formally assigning responsibility to perform a task is also assigning accountability, which is a good way to ensure that a task is actually performed. It is also empowering. IT support staff are rarely the power brokers of an organization. When employees, especially powerful ones, request access to, for example sensitive resources, IT staff should be empowered with formal processes and procedures that have been blessed by management to verify that access is appropriate before granting it.
The tip of the governance spear are your organizational leaders. An organization with strong cybersecurity governance practices sets an important tone for the organization. It isn’t a given that just because something is important to management, that thing will also be important to all of an organization’s staff. But the inverse is almost always true. If something is not important to management, it will almost certainly not be important to staff.
2. Training and Education
According to Trend Micro, the vast majority of data breaches start with someone being targeted in email. Additionally, all scams, including wire fraud scams and W-2 fraud exploit people rather than systems. Even ransomware ultimately requires an individual to open an infected file.
Quite simply, nearly all successful attacks exploit people before they target systems. And the IT support staff whose day to day activities may include helping you reset your password, recover your accidentally deleted files, and connecting your computer to the conference room projector simply are not thinking about implementing comprehensive and continuous security awareness training program.
Organizational leaders need to put on their risk management hats from time to time and push these initiatives.
There are many flavors of security awareness training. The most robust option for most companies combines annual in-person or virtual training with periodic simulated phishing campaigns to test, educate, and keep staff on their toes.
3. Vendor Management
Another organization risk management activity critical to cybersecurity is the review of service providers. Organizations today outsource business functions that used to be performed in-house. Some common examples include maintenance, payroll, janitorial services, and line-of-business applications. Due to the diversity of the types of service providers businesses retain, your IT team and your outsourced IT provider are simply not in the sphere of responsibility that would include review of all vendors. For example, the Target hack began with login credentials stolen from an HVAC provider. Whose IT team is performing risk management over their HVAC provider? Probably no one’s.
Risk management is a corporate function. Your IT team should only be called upon for risk management support when their specific expertise is required to evaluate a specific vendor.
4. Contractual Language
What is in the contracts your organization signs for services/products you sell and services/products you acquire? Have you promised to indemnify any one if you suffer a breach? Have organizations with access (physical or logical) to your facilities promised to indemnify you if they cause a data breach?
Remember that an important goal of cybersecurity is to mitigate corporate losses in the event of a data breach, and implementing the appropriate legal review of your contracts is an important part reducing your legal liability. It probably goes without saying, but your IT team is not moonlighting as attorneys, and it would be grossly unfair to them to ask them to weigh in on the legal implications of your contracts.
5. Cyber Insurance
Your IT team and your IT service provider are in the business of preventing attacks and recovering quickly if they do happen. They are not in the business of establishing corporate financial backstops if a breach were to occur. Cyber insurance is that backstop.
Cyber insurance is becoming more popular and it is an important risk mitigation tool used by many businesses today. But the policies have an enormous amount of variation. Some are simple, and others are complex, weighed down with heavily nested definitions, conditions, and terms of art. Chances are you need either a cyber-savvy in-house counsel or, even better, an attorney with cyber insurance expertise to evaluate existing or potential policies to verify that you are covered where you have risk.
The prevailing mentality of too many organizational leaders is that cybersecurity is the IT team’s job. The IT team and/or your outsourced provider certainly carry much of the responsibility, but it is a mistake to think that they have all the tools to protect an organization from cyber losses.
Cybersecurity is a risk management function, and as such, it requires buy-in and action from executive leadership, continuous staff training, careful consideration of your vendors and contracts, as well as a trained eye to examine your cyber insurance.