The Concept of Shared Responsibility in Combating RansomwareHow Total Risk Evaluation Can Help Reduce Threats
Ransomware continues to dominate headlines with no sign of slowing down. What started more than 30 years ago has become one of the most prevalent and lucrative cyberattacks that does not discriminate by company size, industry or geography.
In addition, with the growth of the digital ecosystem, ransomware now can not only work its way through the primary target, but also affect the third parties that a business works with. Recent attacks on software providers, managed security providers and credit agencies are perfect examples of the danger ransomware poses to third-party cyber risk management, and they highlight the concept of shared responsibility.
Shared responsibility, as it pertains to risk, began as a model to define the line of responsibility between you and your cloud provider to reduce the risk of introducing vulnerabilities into your virtual ecosystems.
Traditionally, if you are trusting the storage of your data within an external cloud environment, the cloud service provider ensures a certain amount of risk coverage to your service, and your business assumes the rest. But as organizations are progressively interconnecting, this shared responsibility model is being adopted as the basis of risk-management frameworks, analyzing the risk between your own internal controls, as well as your third parties, and combining the two analyses into a total risk evaluation.
In a traditional data center model, your organization would be responsible for its own entire operating environment, so it would only need to address risk gaps of single focus around your hardware, software and physical building. But with the growth of as-a-service technologies, businesses are outsourcing niche solutions to multifarious companies - creating a web of interconnected, cross-platform linkages.
As a result, there is a buildup of a large portfolio of third-party relationships. Also, as digital transformation is evolving all facets of business, the inherent risk of cyberthreats such as ransomware, data breaches and service disruptions is becoming highly advantageous to threat actors. Attacks such as ransomware are surging, while businesses in all sectors are failing to address critical security shortcomings within their own environments, as well as the swelling risk to these threats caused by third parties.
It has become vital that companies come together, build trust and transparency, and make concerted decisions to mitigate unacceptable risks to a tolerable level.
Total risk evaluation is a new ideology that can prove overwhelming for many businesses who still struggle with prioritizing security and risk management. And while leveraging third parties can help your business gain significant efficiencies, you must remember that the inherent risk still lies with your organization.
Your analysis should not end with a high-level evaluation of a third party’s answers to an assessment. You should determine your highest-risk third-party relationships, use their assessments to understand how effective their security controls are, and implement a third-party risk framework that can flex with the evolving needs of your organization.