A guest post by MrR3b00t, aka pwndefend’s Daniel Card
In today’s rapidly evolving cybersecurity landscape, it seems that barely a day goes by without news of a new breach notification, from minor to major incidents, affecting organizations of all shapes and sizes. In the not too distant past (think early 2000s), most organizations stood up a perimeter firewall, deployed some antivirus and thought that rotating passwords every 30 days was enough to protect them. Since then, technology has been deployed at an ever increasing pace, threat actors have got more sophisticated, and regulations and compliance have become increasingly mandatory.
On top of that, due to the dominance of internet connectivity in modern day commerce and the provision of online services, many businesses have become digital providers, and that adds a whole extra dimension to their cybersecurity management and practices. Such businesses are not only primary targets for all kinds of data theft threats including ransomware, they are subject to increasing scrutiny by both customers and regulators.
It’s no surprise, then, that even well-resourced organizations find it difficult to keep up with security management and compliance requirements for modern service providers. And if you’re just starting out, trying to evaluate where you are and what you need to do to get up to speed before either the bad guys (threat actors) or the good guys (regulators, assurance tests) catch up with you can be a daunting task.
In this post, we look at what an organization that hasn’t really considered security up till now (for whatever reason) can do to help themselves not only increase their security posture but also prepare for a customer conducting some level of cyber assurance review on their organization. If you have yet to invest time or resources, do not have processes and procedures in place, and/or have a massive gap in your documentation levels, you will likely get a very hard time during and following an audit. It’s time to put this right!
What is the Nature of Your Business?
If you are a shoe repair business that has a mainly non-digital service, your requirements will likely be low. The same can be said for a range of other organization types. However, let’s look at the type of organizations that are likely or certainly going to have compliance and audit requirements:
- Independent Software Vendors
- Cloud Services Providers (IaaS/PaaS)
- Software as a Service Providers (SaaS)
- Hosting Companies
- Managed Services Providers (MSP)
- Services forming part of the supply chain to government digital services
- Services forming part of the supply chain to healthcare services
- Services forming part of the supply chain to CNI
- Business where sensitive data are being controlled or processed at volume
- Financial Related Services
- Payment Services Provider
- E-Commerce Trader
- Pension Services
- Any regulated industry
The key differentiator here is where you are providing and operating a service for your customers. If you are providing an advisory service or your digital footprint and data processing levels are low, you will likely be able to manage by achieving something like the UK’s Cyber Essentials or equivalent.
If you write software or host services (e.g. SaaS), then you need to have security management in your business plans. That’s not me saying it, that’s markets demanding it. The old days of HR buying a service because they “like the look of it” still exist, but they are on their way out. Organizations are waking up to their digital security obligations (there are legal requirements – this isn’t a matter of choice) as well as the shifting marketplace forces which are now insisting providers operate services securely and with privacy at the forefront.
Four Simple Questions for Rapid Assessment
- Would You or Could You Pass Cyber Essentials/Cyber Essentials Plus?
If the answer is “no” then you need to pull your socks up (there’s a security pun in here somewhere). No, seriously. This is where you start as a bare minimum.
- Do You Meet the Standards Required for PCI DSS?
This is obviously quite complex as there are different levels and standards, but the acid test here is would you meet the lower bar for PCI compliance e.g., SAQ A?
- Would You Pass ISO/IEC 27001:2013?
Remember that for ISO/IEC 27001:2013, you will need to show ~ 3 months’ worth of evidence that you practise what your documents say. Whilst you could likely game this part (a bit like using a non-ACAS approved accreditation body), never forget this is your business and your customers that you are short changing in the long run.
- Would You Pass a SOC2 Audit?
Not for the faint hearted, these audits require substantial investments. This means they should form part of your business plan and not just be tacked on.
So What Does a Security Audit Look Like?
The first thing with any scenario is taking stock. If you have managed to conduct business so far without the beady eye of third party audits and security assurance activities, then your margins were probably healthy. At some point, a customer is going to ask for assurance and due diligence information. For many organizations, this is a prerequisite to their doing business with you at all.
This will generally flow like this:
- the customer may conduct open source intelligence gathering
- request for a Self-Assessment Review / Due Diligence Form
- more detailed evidence requests
- third-party audit
- customer audit
Now depending upon the nature of the business, there may be a range of different activities. I can speak from my experience with supply management that this is how I operate:
- I assess the services and the risk level for the business
- I determine a likely assurance level
- I conduct due diligence exercises
- If red flags are raised, I generally move further down the assurance level route
From someone who has and does conduct assurance activities for customers looking to review their supply chain risk, I can only talk based on my experience; however, I can say this:
- If I can’t find details about your security management capabilities and certifications on your website, I dig further.
- If you evade or refuse to share documents such as change management policies/processes etc, I dig further.
- If you try and hide behind “we can’t share policies or processes due to security” I raise another red flag.
- If you don’t have documentation or can’t reasonably rapidly provide evidence, then I consider as a rule that you don’t manage risk and security to a reasonable level.
I must also add that willingness also goes a long way. If you don’t have the relevant certifications, standards, and capabilities today, that’s not to say you can’t achieve them. Honesty and integrity go a long way in my book.
That’s a view of how it works from a practitioner perspective. You must remember, though, it all depends on the nature, sensitivity and risk level of the services being provided or sought. Assurance efforts should be scaled appropriately to the level of risk the contract or service provides.
When assessing cyber security management and compliance requirements, you need to look not only at your business risk and model but also at your customers and make informed decisions about how you can provide assurance, not only to your board but also to your customers.
Manging cyber security for non-micro businesses where you control and/or process customer data, provide managed or hosted services means you will almost certainly need more than a note saying you think your services are secure if you want to do business with larger organizations.
Hopefully, this post helps people understand a bit more about the assurance space. Cyber security management is a business challenge and capability; it’s not just a technical thing!