BLUF

Prioritisation of client reporting and focus needs to be based on the connection and likelihood of compromise, not based on the clients’ relative tiered status. Clients with higher status likely have better defenses. Ones with lower-tiered connections may have greater vulnerability.

Background

One of the primary concerns facing any organisational defense is our clients – both from a direct business-to-business connection, and direct/ indirect impacts from being caught in the backwash of your organisation’s cyber incident. If we have no clients, we have no business. (Supplier considerations are another conversation to have along the third-party path, but that is for another post.)

There are a great many things I shall address in other posts on the topic of clients in cyber considerations, but the topic for today’s consideration is how we tend to assess client cyber risk and prioritisation. The fact is, we treat clients much the same in cyber correspondence as we would for other business related engagement. Higher status clients get treatment befitting the business we do with them, their size and scope. Those lower on the spectrum are less likely to be engaged.

While this makes sense from a business standpoint, it’s horrible from a cyber risk standpoint. When we look at client reporting, the first things we should be looking towards are the relative connection we have (which we look at extensively) followed by the likelihood that they would be compromised. If we have invested time, money and resources in gaining and retaining clients, and we speak of thinking and acting in their best interests, why do we leave them to their own devices in cyber – one of the areas they are vulnerable?

Large, affluent organisations are likely to have their own ecosystems developed already. Whilst we can talk to them in near-peer standing, they aren’t where the engagement is really needed. Lower tier clients with limited resources are more likely to be compromised, lacking the resources necessary to comb through volumes of data to assess risks and adjust controls. Nor will they be able to afford vendors who provision similar services.

We talk about information sharing and prevention, but we need to be thinking more about who will likely become victimised. What’s their relative impact from a cyber compromise? How could sharing information with those at higher risk and in larger group settings create greater benefits long-term for all involved? What are the direct and indirect impacts from their being compromised, or worse yet if your organisation was compromised?

If we consider information sharing as part of adjusting controls for cyber risk (or have skin in the game by sharing cyber continuity of business processes with clients) we will find greater resiliency in the years to come. This is an area we need to start mapping out in 2021 whilst we look at 2030 at the very least. More to come on this and other areas we will look into through the year.

-scl