What is the biggest prob­lem with Cyber Security right now?

CYBER SECURITY

To ap­proach this ques­tion, I in­ter­viewed Peter (Pete) Maynard, CEO of CyberMetrix. Pete is a dig­i­tal trans­for­ma­tion pi­o­neer with a 30-year ca­reer ad­dress­ing emerg­ing chal­lenges within the cy­ber se­cu­rity in­dus­try.

CyberMetrix is a Risk Management Solutions com­pany that en­ables con­fi­dence and se­cu­rity in to­day’s mod­ern ecosys­tem.

In an­swer­ing the ques­tion, Pete sum­marised the prob­lem as ‘long tail sup­pli­ers’ and told me a story:

“In 2013, U.S. re­tailer Target re­ported a mas­sive net­work in­tru­sion and data theft, re­sult­ing in over U.S. $260M in­di­rect fi­nan­cial loss and a fur­ther U.S. $25M in fines. The en­try point? Fazio Mechanical, a small re­frig­er­a­tion ser­vices com­pany, with less than 50 em­ploy­ees.”

Here’s the full story

To sum­marise the im­pli­ca­tion: the big end of town (i.e., Target) has good Cyber Security hy­giene. But that level of ac­cess is un­achiev­able for the av­er­age SME ven­dor, and the av­er­age sup­ply chain is “90-95%” SMEs.

Your se­cu­rity is only as strong as the weak­est link in your sup­ply chain.

In a world of ever-in­creas­ing sys­tems and API-first ap­proaches, it is so easy for data to flow in and out of up and down­stream sys­tems un­pro­tected.

So, how does Target en­sure their ven­dors are com­pli­ant with­out cre­at­ing an ecosys­tem out of reach for the av­er­age SME? Your first thought may be to im­ple­ment a Standard.

ISO Standards

So, what is the Standard?

Well, it’s high. ISO 27001 Information Security Management is com­monly ac­cepted as the in­dus­try stan­dard. We are un­der­tak­ing this process our­selves, which takes sev­eral years and costs a sig­nif­i­cant up­front in­vest­ment in au­dits.

Pete ex­plained that he had also started the process for CyberMetrix. But af­ter 18 months with lit­tle progress and not much to show for it, he canned the pro­ject.

Third-Party Cyber Risk Management

Next on the list is a TPCRM (Third-Party Cyber Risk Management). TPCRM equates to a ticket to trade with the or­gan­i­sa­tion and can make it VERY hard for an SME to sup­ply to an en­ter­prise.

I’m not sure if you’ve ever re­ceived a gov­ern­ment cy­ber au­dit dur­ing the ten­der process… The au­dits usu­ally equate to a spread­sheet with thou­sands of ta­bles, of which you have to con­firm com­pli­ance and, if not, ex­plain why.

Even as an I.T. com­pany, I’ve seen the pain in our CTO’s face try­ing to an­swer these. Let alone any­one who is­n’t run­ning a tech busi­ness.

So, also high.

A quote block that reads "Your security is only as strong as the weakest link in your supply chain. "

ASD Top 8

The next op­tion is to look at gov­ern­ment ad­vice.

The Australian Federal Government fo­cuses on the ASD Top 8, and this model has dif­fer­ent ma­tu­rity lev­els but does­n’t ad­dress Cyber as a whole-of-busi­ness risk.

The last op­tion Pete sug­gests is chang­ing the way the SMEs look at Cyber. Traditionally the en­try point was I.T., and there­fore, this was a func­tion of an I.T. man­aged ser­vice provider. Pete Suggests this is the wrong ap­proach as the prob­lem comes down to peo­ple and gov­er­nance.

People & Governance

There are a few es­sen­tial things that every busi­ness can do.

Good gov­er­nance can save the com­pany by hav­ing an in­ci­dent re­sponse plan and train­ing peo­ple on good cy­ber hy­giene.

Regarding the mod­els above, Pete rec­om­mends a sim­pli­fied down­stream TPCRM ap­proach for en­ter­prises, fo­cus­ing on the long tail of sup­pli­ers in 2 steps:

1 - Categorise

This is about dis­cov­er­ing the level of cer­ti­fi­ca­tion you re­quire your sup­pli­ers to re­tain us­ing a cat­e­gori­sa­tion ma­trix.

2 - Certify

Follow the Cyber Security Certification Australia (CSCAU) process for SME sup­pli­ers to meet your de­fined level.

To achieve a strong sup­ply chain, the process needs to lead from the top down.

If en­ter­prise cus­tomers re­quest this from their ven­dors, and from their ven­dor’s ven­dors, in an easy a fair man­ner, this will im­prove the ma­tu­rity of most SMEs.

In short, it comes down to ask­ing your­self one cru­cial ques­tion; how are you val­i­dat­ing your ven­dor’s cy­ber re­silience and those that sup­port them?

Discover Software
Secrets

ABOUT THE AUTHOR

David Burkett

Growth en­thu­si­ast and res­i­dent pom

Get cu­rated con­tent on soft­ware de­vel­op­ment, straight to your in­box.

Your vi­sion,

our ex­per­tise

Book a con­sul­ta­tion