One widely recognised risk is with third-party/ app suppliers, as they provision the tools used to create your business’s client services. Whether the risk is B2B connection, shared data, supply chain, business disruption or infrastructure-based; there are many reasons your organisation looks to have cyber awareness in third-party management – and has difficulty doing so.
One of the best starting points is to look for controls set in place for apps, as that shows who should know about issues related the app. I prefer to start with the business; if they have controls in place for the app, they recognise the need for awareness if there is a disruption. The control should work with part of the Continuity of Business (CoB) plans to switch to a backup in case of incident. In any case, you need to know who would pull the control lever.
If the business doesn’t have controls for the app, look for the app owner. Often they are more in technology roles, and have lists of who would be notified if there was a scheduled downtime or service interruption notice sent. The app owner may or may not have insight into the company who provisions the app, contracts regarding notification requirements, and what other businesses use the app. If information is missing, look for Third-party supplier datasets and find the company who provisions the app (there may be several others). Find who is your organisation’s point of contact for the supplier to find more of the pertinent information above and anything else of relevance.
Once you’ve at least the supplier/ app names (preferably for all the apps in the entire process) and a list of who needs to know – take it to your local CTI team. Ask them to flag pertinent information (cyber or otherwise) that could indicate interruption of service. Many would be happy to let you know, especially if you tell them what happens after as part of the feedback process.
If you really want to put icing on top, engage the CoB teams along with the supplier account owners and put contractual requirements in place to notify in case something might interrupt services (not after they sort all that’s happened). This gives you and your businesses a chance to shift to the secondary toolset before your clients have an interruption of their services.
This can be applied to other third-party services, or taken out of cyber. Just keep open communications and remember some of these other parties may not see how your efforts relate to theirs. So, patience and practice in remembering everyone’s value.