From The Desk Of CISO

In today’s interconnected economy, companies rely on third-parties. It’s increasingly common to outsource some parts of your business to vendors who specialize in that function, whether that be via a SaaS vendor, third-party service provider or contractor. These third parties aren’t typically under your organization’s control and it’s unlikely that they provide complete transparency into their information security controls. Some vendors can have robust security standards and good risk management practices, while others may not. Some best practices for third party Risk Management include-

1- Adequate due diligence should be performed during the Vendor Onboarding process.
2- Make a practice of incorporating cyber risk into your Vendor Risk Management Program and vendor contracts.
3- Keep an Inventory of Your In-Use Vendors so as to understand who all your third-parties are and how much is being shared with each of them.
4- Continuously monitor vendors for security risks by monitoring their security controls overtime.
5- Collaborate with your vendors to reduce risk and fix security issues quickly.
6- Talk about third-party risk by having leadership engagement on both the sides.
7- Cut ties with bad vendors – the ones with poor cyber hygiene.
8- Measure fourth party risk – as important as it is to understand your third-party risk, it’s also important to know who your third-parties rely on. These organizations are known as your fourth-party vendors and they introduce fourth-party risk.
9- Follow the principle of least privilege. Many third-party data breaches occur because the thirdparty is provided with more access than they need to do their job.

Do you have the right data governance strategy to minimize cyber risk?

Yes, we have a Data Governance structure in place and a strategy to minimize cyber risk. Are your employees fully equipped with cyber technology and have all required certification? Yes, our team is well equipped with the latest cyber technologies and the required certifications. Here i would like to make a point that with high turnover of cybersecurity resources, you need to have a hybrid model which includes your organization’s staff combined with vendor outsourcing for relevant skillset and areas. This way you can effectively manage HR needs. We have staff certifications including CISM, CISA, COBIT, CYSA, CEH, BSMS, SOC Analyst etc.

What do think the biggest cybersecurity threats right now, especially in perspective of Pakistan and what do you suggest to tackle these threats?

Globally, the continued combined impact of the COVID-19 pandemic, socio-political upheavals and ongoing financial stress is likely to increase the number of careless mistakes that employees make at work, creating more exploitable opportunities for cybercriminals. However, following are the biggest cyber security threats especially in the perspective of Pakistan

• Poor Cyber Hygiene
• Mobile Device Vulnerabilities
• Ransomware • Poor Data Management
• Inadequate Post-Attack Procedures
• Configuration Mistakes

Recently some of our government organizations have been a victim of cyber attack. We need to considerably improve the cyber health of the government sector.

Following measures should be adopted to counter these cyber threats

Information Security Governance structure should be improved

Timely updatIng of all security systems and software

Conducting regular employee cybersecurity training

Reducing your attack surface by improving security controls

Threat Intelligence feeds relevant to the country

Backup and Recover your Data periodically

Managing Third Party Risk (Vendors)

Protecting your physical premises

Conducting Cyber Drills & Incident handling trainings

People receive messages and emails that may be from malicious hackers, how they can be safe?

Banks and other Organizations should develop Information Security Awareness Programs and should conduct Awareness Campaigns to educate their Employees and Customers on regular basis about the latest and evolving threats.