It is easy to assume that your outsourced IT provider has all of the bases covered to handle a cyber-attack, after all, they are the IT experts. While their IT expertise is likely value for money, if senior management and your IT provider do not understand the business and technology risks within the organisation, then it is likely that there may be an easy cyber target within your organisation.

The end result of unclear roles and responsibilities

An Australian SME health organisation was recently a target of a cyber-attack that occurred after its Office365 login had been compromised, resulting in the loss of $200,000 and likley a significant quantity of personal data. McGrathNicol Advisory was engaged to investigate how the attack happened and to review the organisation’s IT governance and operational processes. The review identified the root cause of the incident was insufficient oversight and clarity on roles and responsibilities between both the outsourced service provider and the client.

There was a large gap between management’s expectations of IT and the services that the IT provider was contracted to provide. The review found that:

• the IT provider was making incorrect assumptions about how IT systems operated within the organisation; and
• senior management was not equipped with enough operational knowledge to identify the gaps within the IT environment.

How to make sure this does not happen within your organisation

Cybercriminals look for opportunities to exploit system vulnerabilities and control gaps which is exactly what happened in the above case. Organisations must understand how their business operates and systems work, and integrate within their environment and with third party systems. Organisations can start by asking the right questions to:

Understand the risks

• What needs to be protected and why?
• Who are the organisation’s suppliers and what security measures do they have in place

Establish control

• Has the organisation set and communicated its minimum security requirements to suppliers?
• Is there clear internal oversight of the outsourced services?

Check the arrangements

• When were the outsourced service security controls last tested?
• Does the service agreement allow the organisation to complete assurance activities?

In an environment of ever-increasing scrutiny of Boards and senior management teams, organisations must proactively review their control frameworks to identify gaps. This can be best achieved by employing an independent technical expert who can view the systems objectively and provide recommendations to address issues before they compromise an organisation.