Optimised Remediation Process Accelerates Improvements
“...we identified a range of associated third-party processes that were ineffective and increased risk.”
Following a data loss in 2018, a large financial services client carried out a global review of data controls for its third-party hosted websites. The review identified over 1000 websites where specific control weaknesses could leave the organisation exposed to breaches and data loss. These weaknesses were found both within the third parties and the client organisation.
The challenge faced by the client was how to effectively address such a high volume of third parties globally. Large numbers of people across different operational and supplier teams needed to be mobilised, focused, and managed.
We helped the client using Security Remediation, our end-to-end methodology for rapidly addressing cyber weaknesses. It was developed based on our experience of resolving cyber issues for many of the UK’s largest financial services companies.
The first step was to create a baseline inventory of third-party websites hosting restricted or highly restricted data. We then systematically identified website owners and assessed each website against a set of key controls to determine its risk position. Underpinning this was our Security Remediation tracker, which provided MI to the control owner and other stakeholders.
With the baseline established, we risk assessed and categorised the websites in preparation for remediation. Risk reports for each website were issued, with oversight in place to approve plans and track activities. Key to our success was the ability to identify and work with hundreds of business representatives globally. These people were accountable for the remediation work and we offered a range of support models to ensure they understood the risks and were equipped to address them.
As well as tracking remediation progress, our MI included ‘non-responder’ data. This critical metric enabled the control owner to escalate performance issues as required.
In completing this work, we identified a range of associated third-party processes that were ineffective and increased risk. We improved the integrity of sourcing and application inventories, as well as data classification.
We also defined and delivered a more robust ‘gatekeeper’ process — an important early deliverable of all Security Remediation engagements. It stops weaknesses in the new, change-driven estate getting worse while legacy areas are being addressed.
The client benefited from accelerated remediation and reduced costs because of Security Remediation’s optimised improvement process. This combined risk-based prioritisation, clear MI that helped to remove blockers, and a dedicated i-confidential team driving the activity. These issues would have been addressed much more slowly if the organisation had tackled them alone.
As well as leaving behind an auditable record of risk-accepted security weaknesses, we also provided the client with a baselined third-party website security inventory it could maintain going forward.