3rd Party Risk: Is it time to pull our heads out of our clackers?
Another win for cybercriminals due to a 3rd party provider breach via a human compromise.
Would you allow your children to get into a car that was technically perfect, but the driver wasn’t qualified to drive? Of course, the answer is a definitive “No!”
We are obsessed with a 3rd Party assessment process that considers all of the technical controls yet there is no assessment of the human at the helm of those controls or functioning at every level within the environment.
Are there questions in your 3rd Party Risk Assessment document that ask about the quality or status of the organisation’s cybersecurity culture? A question on their cybersecurity training program? At least a question on their past phishing test results and the degree of difficulty? I suspect the answers are, “No”, “No” and “No”.
According to the World Economic Forum (2022) 95% of cyber incidents are attributed to human behaviour. CISCO’s 2021 Cybersecurity Threat Trends report, about 90% of data breaches occur due to phishing – again a human failure. So, if the human represents up to 95% percent of the risk – why are we failing to ask the right questions and address the risk accordingly? Oh, that’s right, we think we can technologize the human out of the equation…. Yeah, that’s really working for us…..?
Folks it’s time to take stock, take a breath, pull the head out of the misty depths of wherever it is….. and take a fresh look. Change must be led. I challenge you!
The Cyber Security community are my heroes – without question! I am so appreciative of the work that you do, but we need a shift, and it needs to happen fast.
Where is your organisation’s cyber security culture sitting?
If you’d like to know – reach out – We can assess, measure, and track your cybersecurity culture! Dr James Carlopio CCS’s resident Organisational Psychologist would love to speak with you! firstname.lastname@example.org