Source URL: https://www.scrut.io/post/lanes-in-the-road-how-small-and-medium-businesses-can-allocate-cybersecurity-responsibility
Source: CSA
Title: How SMBs Can Allocate Cybersecurity Responsibility
Feedly Summary:
AI Summary and Description: Yes
Summary: The text describes the legal implications and strategic cybersecurity lessons learned from a ransomware attack on Mastagni Holstedt, leading to a lawsuit against their Managed Service Provider (MSP). It emphasizes the importance of clearly defined roles and responsibilities in cybersecurity, compliance, and privacy risk management, anchored by frameworks like RACI and structured documentation such as a risk register. The article also discusses the need for formal contracts with third-party vendors and compensating controls to enhance security.
Detailed Description:
The document outlines several key lessons from a ransomware attack at the law firm Mastagni Holstedt, which took legal action against its MSP, LanTech. The case illustrates the complexities of cybersecurity accountability and the necessity of structured risk management practices.
1. **Lack of Contractual Clarity**:
– The firm and the MSP had a verbal contract, complicating accountability.
– The attack exploited the deletion of backups stored with Acronis, using legitimate credentials, underscoring the need for better user access management.
2. **Frameworks for Accountability**:
– **RACI Matrix**: Suggested as a method to clarify roles within cybersecurity tasks.
– **Responsible**: GRC analysts to handle compliance documentation.
– **Accountable**: Director of GRC for the final oversight.
– **Consulted**: Business unit leaders for system access.
– **Informed**: VP of Operations for overall awareness.
– A well-structured RACI matrix can mitigate confusion and improve task completion.
3. **Documenting Risk Ownership**:
– A risk register serves as a single source of truth for tracking security and compliance risks.
– It helps clarify who owns each risk and the actions taken regarding them, enabling informed discussions across the organization.
4. **Third-Party Vendor Risk Management**:
– Businesses need to assess external risks, especially those introduced by third-party vendors.
– Practices suggested include:
– Sending security questionnaires to understand vendors’ data security procedures.
– Reviewing certifications like ISO 27001 to ensure compliance with basic security standards.
– Utilizing security ratings tools to monitor vendor risk dynamically.
5. **Formalizing Expectations via Contracts**:
– Clarity in contracts can prevent misunderstandings about roles and responsibilities.
– Suggested contract practices include:
– Requiring vendors to maintain certifications like ISO 27001.
– Establishing SLAs for data protection.
– Including vendors in bug bounty programs to enhance network security.
6. **Compensating Controls for Residual Risk**:
– If risks remain unmanaged, organizations can apply compensating controls such as:
– Utilizing double encryption on sensitive data.
– Increasing cyber insurance coverage based on identified security gaps, using the cost as leverage for vendor negotiations.
Conclusion: The text emphasizes that clarity and structured responsibility in cybersecurity and compliance processes are crucial for organizations, particularly as they scale and encounter increased risks. By implementing defined roles, contractual agreements, and compensating controls, businesses can significantly enhance their cybersecurity posture and reduce the risk of incidents like ransomware attacks.