Is Your TPRM A Weak Link In Your Continuity and Cyber Risk Plans?

All too often when we think of business continuity planning, we think of detailed checklists and tabletop tests, and situations approaching disaster recovery scenarios. We think of key suppliers and residual power supplies, and more. America’s current novel coronavirus situation has many of us finding ourselves facing periods of varying lengths where we will be diverging from normal routines—including our work logistics, or lack of them. Most of the time, we build business continuity plans for circumstances that target our firm specifically, or a significant geography important to our operations. But aside from our inward-centric planning, what might we consider from the perspective of a larger playing field? Let’s consider the answers to these questions:

  • What resources are vital to your operation?
  • What operations/services are dependent upon yours?
  • What risks are most immediate to address if some disruption happens?
  • What infrastructure assumptions, outside your control, are critical to continuity?
  • Do special times conjure special risk scenarios?

At first glance, these seem pretty typical considerations for any thoughtful business continuity plan. Looking at them a bit more closely can reveal some unforeseen operational and cyber risks that bear some attention. It’s worthwhile to note that the focus of threat actors has begun to shift. Finding core infrastructures better capable of early detection and repair of cyber breeches, their focus is moving to indirect attacks through relationship partners and suppliers. Recent findings indicate that as much as 40% of security breaches now initiate by indirect attacks through suppliers and partners. So effective Third Party Risk Management (TPRM) is a vital component of successful continuity planning.

What resources are vital to your operation?
Unless you’re a deeply integrated vertical, you likely have this list nailed, and subject to periodic review. If not, then establishing a process to identify and evaluate those most critical external resources is a priority exercise vital to sound cyber risk, continuity, and operations planning. Hopefully, this is not just a list of external vendors. It is those, of course, plus a list of critical knowledge, skill, and infrastructure resources needed to sustain your business. That would include staff, data, operations, and the means for these to interact on your behalf. Whatever feeds and inputs to your services or enables your processes is of course critical. If those include the product of a third party’s efforts, you need to consider their ability to endure when confronted with events outside their control. You may need secondary options to address circumstances that disable primary supplier support. Straightforward enough. Do you have the ready means to engage these secondary suppliers? Do they need and have access to your systems? Has their security been vetted as part of your TPRM process? Did you look at their risk, cybersecurity, and continuity processes to ensure they have the means to service and support your operation when events beyond your respective perimeters require? Have your key contacts on both sides discussed how they would start up if needed?

What operations/services are dependent upon yours?
This is a reverse point of view often ignored regarding TPRM and Continuity Planning. Who are the partners you support? What contractual or regulatory obligations add to your planning? Do any of these expose your resources to unique risk opportunities? When considering this last point include relationships that may be seasonal or periodic, as well as those ongoing throughout the year. There can be a tendency to pay less critical attention to those once-in-a-while engagements. That’s an opportunity to let training and communication weaken a bit, and open a door for threat actors promoting phishing and other attacks to gain entrance to your infrastructure. It’s also a circumstance potentially leading to brand, customer, or legal exposure should you miss a service commitment in oversight. Consider any unique skill, knowledge, asset, or process resources you might need to meet these obligations. Are there any unique or exceptional data sharing requirements involved? Is there a need for granting temporary access to your network? There should be a process for evaluating all these needs, including participation by key stakeholders, IT, security, risk, procurement, and legal. Pay particular attention to how you might be connecting to others, and when doing so, if their security is somewhat less stringent. Take precautions on your side to avoid exposing your own resources in the process wherever possible.

What risks are most immediate to address if some disruption happens?
There are several vectors to consider in preparing for a disruption. Two of the most important identify the biggest risks, and the other, the most immediate. It’s important to align these risks to identify any that are both immediate and substantial. Also, consider their impact on core operations and current year objectives to determine specific impacts. The results of this analysis represent your most important risks to address. How adept your defenses are at detection and repair will determine your response effectiveness. They will quickly position you to remediate and establish or sustain continuity, or define the scope of sustained damages. At this point, it’s useful to consider how resilient your cyber defenses and overall security are. What disruptions put them at risk? Can you recover quickly? Weakened controls enforcement at the fringes of your extended supply chain may create gateways for intrusion. Should a critical partner’s service experience some disruption, or need to be shut off from service, can you identify the problem and deftly move to alternates without damaging delays? Actively planning for and managing the resilience of your detection and repair capabilities is an important part of cyber risk and continuity planning. At the very least, address these risks and determine strategies to reduce them.

What infrastructure assumptions, outside your control, are critical to continuity?
In recent days, staff of many firms have been told to work from home if at all possible. This mass migration of an at-home workforce is not something many foresaw as a concern. One question (of many) remains to be answered: “Can the infrastructure of residential internet service providers supply adequate bandwidth to support this sudden massive migration to residential demand?” One wonders what QoS (quality of service) parameters are also being challenged as schools close, adding homebound children and their demands for streaming capacity are added to the overall residential drain on internet bandwidth posed by remote workers. Failure of this critical, presumed infrastructure would defeat the effectiveness of a work-from-home strategy in a single stroke. But as an independent company, this isn’t something you can control, yet it may be an essential assumption to your continuity plan. Look at your plan carefully, from the perspectives of servicing partners and being serviced by them. Are there contingencies you can establish to address such dependencies? How vulnerable are your partners? How resilient are their infrastructure dependencies? What remedies can you apply or risks must you either accept or somehow transfer?

Do special times conjure special risk scenarios?
It’s neither possible nor useful to consider everything at all times. It leads to the thinking that the only safe data server is one air gapped from all resources and powered off. It’s safe, but it’s also useless. Continuity plans often define alternate means of commuting to work, shipping products, and sourcing suppliers. Each of these offer fresh opportunities for hostile threat actors to compromise your digital environment, either through extended access to unfamiliar public networks, or through weakly secured devices possibly used by untrained operators. Having staff work remotely, from home or elsewhere, is often included in the mix of continuity strategies. Forward thinking companies have implemented controls over personal or company issued devices to support this. For those who might rely upon use of personal devices from home there are connect policies and tools to scan an incoming device for presence of required anti-virus and other controls before granting access. Establishing and testing these services requires time and education; they are best established and vetted as a normal part of operations so they are readily deployable at greater scale in the event of emergency.

While one assumption in this is that connectivity bandwidth will not be an issue, and the internet (i.e. the locally available or subscribed internet service provider) will be there, capable and ready. But, if local power availability becomes an issue, it’s moot. If whole communities are working from home, available residential bandwidth may be challenged. In such cases, local public hotspots may be closed, or suffering the same challenge. It might be worth exploring some arrangement with a specific service provider to provide alternate service on demand through a Wi-Fi channel if requested and authenticated through specific credentials issued through the company. While I’m not aware of anyone who has done this just yet, it may be an avenue to explore. That traffic could be directed through a proscribed VPN service to help assure security.

Effective business continuity implies secure continuity. And that needs to extend to secure partnerships with third parties. Can your essential monitoring and detection services be operated and managed remotely in the event of an emergency? Will they encompass services provided through processes and partners invoked to address a disruption? Have you tested and validated these and other cyber risk controls and processes to assure timely detection and response to a breach in a continuity scenario? Keeping your business operational throughout a disruption includes keeping it securely operational. It’s one way to enable internal resources to focus upon recovery and avoid distractions to address additional events otherwise within your control. Cyber risk and security planning are an integral part of your third-party risk management and continuity planning for your firm, now and for the days ahead.

About the Author:

Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.

Leave a Reply


DoubleCheck ERM One™

An out-of-the-box tool that delivers an integrated ERM process together with a comprehensive, high-level categorization of exposures (Financial, Core Business, Operational and Strategic), fully loaded with over 60 associated, pre-populated risks to be used as a starting point.