The recent cybersecurity attack in Ireland highlights the growing trend in destructive attacks we are seeing across the board, not least those targeted at financial institutions.
Whether the attacks are targeted or opportunistic, the most common point of weakness is often basic routine hygiene factors:
A successful attack can often be avoided if reasonable protective defences are in place.
Understanding one’s end-to-end architecture and infrastructure not only reduces the success of potential attacks, but also lends itself IT framework optimisation. Alignment to ITIL or 6 Sigma, for example, can ensure a clear understanding of your asset inventory, their configuration, and the interdependencies between them. It will also enable you to understand the business services mapped to each asset, as well as any third-party dependencies and potential vulnerabilities. This holistic approach will allow you to fully understand and account for the full impacts of operational disruptions.
There are clear linkages and alignments to consider around the two recent CBI consultation papers on outsourcing and operational resilience.
It may be worth reflecting on your own organisation in the context of operational resilience.
What is your organisation’s current level of ability to identify and prepare for, respond and adapt to, recover and learn from an operational disruption, such as that which the HSE is now facing?
In the context of the 3 pillars of the CBI’s proposed operational resilience framework:
Where you use outsource service providers as part of the chain to provide services to your customers, the suppliers’ own cybersecurity and information security measures and standards act as an extension of your own.
The CBI places a large emphasis on considering the risks around the digital agenda as part of your risk assessments of third parties and asks that as part of risk assessment – both Sensitive Data Risk and Data Security – availability and integrity are fully accessed across a range of factors.
There are also contractual requirements stated such as access for penetration testing; Whether the OSP should take out mandatory insurance against certain risks and notification requirements of financial difficulty, catastrophic events, and significant incidents.
Another key consideration that is aligned to the two CBI consultation papers is the “tone at the top” – the board and senior management modelling the right behaviours regarding security and leading by example through the chain of the organisation. They also need to know the right questions to ask at the right time.
Cybersecurity isn’t just an IT problem, there are roles and impacts across the entire business. Firms need to consider their resourcing mix and how prepared they are to respond to disruption.
For more on this topic, EY recently hosted a special cybersecurity webcast which is now available on-demand here.
If you want to discuss this in further detail, or if you have any questions, please do not hesitate to get in touch.