Your Partners’ Weaknesses Can Affect Your Own Security

Interview with Mihkel Kukk, Head of Cyber Security at KPMG Baltics

Cyber security has become an increasingly important topic in recent years. To what extent has Estonian companies’ understanding of their information and cyber security posture, including awareness of vulnerabilities, improved over the years?

There has indeed been a significant improvement in Estonian companies’ awareness of cyber security issues over recent years. Businesses are beginning to realise that investing in information and cyber security is a must.

At the same time, identifying and addressing vulnerabilities remains an ongoing challenge that demands continuous effort, especially in light of new technologies and evolving cyber-attack methods.

For example, many Estonian companies have begun conducting regular security audits and offering cyber hygiene training to enhance employee awareness and preparedness against potential attacks. In addition, we are seeing increased investment in security software and infrastructure to combat sophisticated malware and phishing attacks, which are becoming more and more common.

Another important step is obtaining cyber insurance, which helps mitigate financial risks in the event of a cyber-attack. These developments show that while awareness has grown, the rapid evolution of cyber security landscape requires constant updating and enhancement of defence measures.

Who in an organisation should evaluate their partners’ cyber security posture? Should it be done by the CISO (Chief Information Security Officer) alone, or in collaboration with the CIO (Chief Information Officer)?

Assessing a partner’s cyber security posture should be a collaborative task between the CISO and the CIO. Since cyber security involves both technical aspects and broader strategic risks, it’s crucial for both roles to contribute their perspectives to ensure a comprehensive approach.

If a potential partner doesn’t have a CISO (or even a CIO), how can their cyber security posture, and your own risks, be assessed?

If a potential partner lacks a CISO or a CIO, it’s advisable to bring in a specialised external service provider to conduct a cyber security audit and a risk assessment. Involving external service providers allows for an objective assessment, highlighting security vulnerabilities and providing recommendations for the implementation of best practices in line with international standards.

This is particularly important for small and medium-sized enterprises, which often lack in-depth cyber security expertise and resources. Conducting an audit can help identify and mitigate various risks, such as data leaks and systems’ security vulnerabilities, which may affect the company’s operations and reputation.

Generally, the audit and risk assessment process for an SME can take anywhere from a few weeks to several months, depending on the specifics of the enterprise and the systems in use.

How much does the area of activity and size of a potential partner affect the assessment of information security from a collaborative perspective?

An information security assessment varies significantly depending on these two factors, as different sectors and company sizes are subject to different security requirements and risks.

For example, companies in the financial sector must comply with very strict regulations requiring advanced security measures to protect customer data and financial assets. In contrast, small retail companies may be subject to less stringent requirements, but their resources for enhancing their information security measures may be more limited.

It’s a misconception to assume that small companies are by default less attractive targets for cyber-attacks because of their small size, or that they are somehow better protected. On the contrary, their limited security infrastructure and low level of cyber security awareness can actually make small businesses more vulnerable.

Attackers may see small businesses as easier targets that can provide access to the networks of larger, better-protected companies, especially when they are part of larger companies’ supply chain.

Therefore, the assessment of information security should not be based solely on the company’s area of activity and size, but should also consider its ability to identify potential threats and implement appropriate defence measures.

Information security audits and risk assessments should be customised to each company, considering both the specific characteristics of its sector and the unique risks it faces, regardless of its size.

How should the adequacy of external partners’ business continuity plans be assessed?

The business continuity plans of external partners should be evaluated on the basis of their adequacy and feasibility, by checking whether the plans are up to date, cover all relevant risk scenarios and are integrated into the organisation’s overall risk management strategy.

Testing should take place at least once a year to ensure that the plans are robust in real-life situations. However, depending on the sector and evolving risk landscape, more frequent testing may be required. External service providers can bring significant value by offering broad expertise and experience to ensure that business continuity plans are comprehensive and effective.

Their independent perspective helps identify potential weaknesses, while simulations and crisis exercises conducted by external parties tend to be more realistic and complex, thus enhancing preparedness for real emergencies. In addition, they provide ongoing advice and regular updating of the plans, essential in a rapidly changing business environment.

When assessing a potential partner, how much emphasis should be placed on the technology they use versus the so-called human factor?

When assessing a partner, equal attention should be paid to the technology in use and the human factor. While technology is important, the human factor – such as the level of employee training and awareness – can often be the weakest link in the cyber security chain.

The cyber awareness of a partner’s employees can be assessed through various methods, such as regular training sessions, testing, and simulations and exercises that reveal their responses to potential cyber-attacks.

To what extent should the topic of external partners’ cyber security be addressed in an organisation’s own risk assessment or information security audit?

The cyber security of external partners is of critical importance in the organisation’s own risk assessment and information security audits. As illustrated by an example brought in the Estonian Information System Authority’s blog post Supply chain attacks: their potential impact and how to protect yourself, your partner’s cyber security vulnerabilities can enable attackers to exploit the partner’s systems as a gateway to access your company’s networks.

Such vulnerabilities can have a serious impact on the security of the entire supply chain and, therefore, on the reputation and financial performance of your organisation. Therefore, it’s crucial to regularly assess and monitor the level of your partners’ cyber security to avoid potential risks and ensure the resilience of your systems (source: Estonian Information System Authority).

To what extent can the assessment of a potential partner be outsourced as a service?

Outsourcing the assessment of a potential partner’s cyber security to a certified external service provider enables access to valuable specialist knowledge and experience that may not be available within your company. This approach ensures objectivity in the assessment process, avoiding potential conflicts of interest that may arise if the assessment were conducted solely with internal resources.

In addition, it provides the customers with confidence that cyber security risks have been identified and assessed in accordance with international standards. This helps them make better-informed decisions and protect their business from potential threats.

Drawing on KPMG’s experience, what are the most common issues identified in Estonian organisations during such assessments?

We have seen that Estonian companies’ risk management processes are often inadequate and the level of cyber security awareness among their employees is low. Additionally, there are often no clear procedures in place for addressing cyber security incidents. This can lead to situations where employees are unable to recognise phishing attacks or are unsure how to respond when an incident occurs. This, in turn, can result in data leaks or attacks that damage the company’s reputation, cause financial loss, and undermine customer trust.

How can conflicts be avoided within an organisation when departments such as production, marketing, or sales are eager to cooperate, but the CIO or CISO objects to it?

Internal conflicts can be avoided by establishing clear communication channels and processes where different departments can voice their concerns and needs.

The CIO and CISO should be involved at an early planning stage to ensure that these needs and concerns are addressed before any cooperation agreements are signed.