Looking in the mirror: Taking responsibility for security assessment

TORONTO—Cybersecurity is top of mind for most Canadian businesses, and a comprehensive program is essential to surviving in the digital age. However, a cybersecurity program is not something that can simply be established and forgotten about. Regular checks, assessments and updates, in response to evolving threats, are critical to ensuring an effective program stays effective.

Not only is regular inspection and maintenance good for individual firms, it’s something clients demand. If a company wants to ensure that a potential partner’s security practices are up to snuff, they may even want to check for themselves, either by conducting their own investigation or recruiting a third party to perform an audit.

“What we see happening more and more is our clients getting into business with vendors and including in their contracts the right to audit, to be able to go in themselves or send in external parties like ourselves to do security, controls or process reviews,” said David Florio, operational advisory partner at Grant Thronton.

This level of scrutiny is understandable. If a company outsources the handling of data, they want to know that data is in capable hands.

Florio says it’s essential for companies to understand what security measures are in place with the vendors they are doing business with.

“You might be outsourcing to a data center. You might outsource your managed network services, or other forms of processing that include transferring, moving and storing sensitive information of either the organization or your customers and clients,” said Florio.

He continued, “But if there is a breach, and your customer information is out there in the open and it’s compromised, they are (your customers) not necessarily going to the data centre that your servers are sitting at, they are coming to you.”

Florio says that companies can outsource processes and controls, but they can’t escape responsibility if something goes wrong.

For this reason, companies holding the vendors who handle their data accountable is crucially important, but reviewing a vendor’s security practices costs money.

Figuring out who pays for this assessment—the party handling the information or the party outsourcing the job—is quickly becoming a standard aspect of contract negotiations.

Florio says that he’s seen companies walk away from deals because they couldn’t get assurance that the other party had adequate security measures in place. He cautions that whoever ends up carrying the costs, a provision for an assessment is essential to have in a contract outsourcing information processing.

Satisfying Client Demands

Sunil Chand, director of Cybersecurity at Grant Thornton, says that smaller businesses need to have active security controls in place to meet the demands of large clients.

“Small businesses need to understand that this is not something that can be ignored any longer. It’s something that’s going to be pushed down by larger business partners,” Chand said.

He continued, “Big firms are calling out small firms. ‘You said in the agreement that we have now that you do regular (security) checks, now show me.’ You don’t want to be in a situation where at the 11th hour you are scrambling to show them.”

Firms need to be equipped to respond to any and all security concerns their clients, partners or customers may have, and that means conducting regular security reviews.

At the very least, Chand says that on an annual basis, firms should refresh their security framework to assess new threats.

Florio says that quarterly health checks are a good idea as well.

Whether it’s through an annual review or quarterly checks, self-assessment is proactive and prudent. Firms waiting for an external audit from a prospective client to discover weaknesses in their security system are putting themselves in a position to lose business.

Florio asserts that firms need to have the right people in place to perform self-assessments and to communicate their findings effectively.

“The challenge we see is that a lot of these assessments are very technical in nature, and the results of these reviews are very technical. Then they get shared with other people outside IT and security, and there’s an interpretation issue. It’s critical to have the right people do the assessments, interpret the results, put them in a form that others who aren’t in the IT area can understand and link what impact that’s going to have on the business going forward,” said Florio.

A Proactive Approach to Security Assessment

Taking a proactive approach to security assessment is easier said than done. The resources that go into internal reviews, checks and recalibrations are copious, and this can be a significant challenge for smaller firms.

Chand says that although most small firms don’t have cybersecurity specialists on staff, it’s possible to outsource that expertise, even if it’s not on a full time basis.

“Take somebody for a week, or three days a month, and borrow that expertise to educate yourself on the threat landscape,” Chand said.

He also says that if a firm has a third party managing its cybersecurity, making sure that maintenance and patching are built into that contract is essential. Using independent reviewers to ensure that security providers are doing their jobs properly is also a prudent.

Ultimately, security systems need to be continually updated to account for new threats and vulnerabilities. If this is not happening within the framework of a cybersecurity strategy, it’s time for that firm to reassess. Company safety and business relationships are at stake.

Chand says that firms need to move beyond the realm of the technical when thinking about digital security.

“Organizations are best served to think about cybersecurity as a business risk,” he said.