There is a reason you cannot rely exclusively on third party providers (3PP) for your business being operational continuously. 3PPs are largely used when you don't feel like doing or becoming enough of an expert to do nuanced work. It is a way to handle risk by transferring it to a provider to handle. A "subject matter expert," if you will.
Examples of 3PPs are virtual assistants, payroll services, Google cloud services, and Microsoft. Whoa...I just escalated that quickly, didn't I?
It should be safe to assume that a big name company has all their ducks in a row when it comes to doing data storage and hosting virtual meetings on their platforms. It should also be safe to assume they are doing their own business continuity planning, including cybersecurity. Google's cloud has service outages. It's not always accessible. Microsoft Teams went down for hours Friday across the world.
Part of doing due diligence in your own business continuity plan is making sure that the vendors you work with also have their own plan. If they do have a plan, you have to decide how you know it works or if it is effective. Are you going to trust them at their word or will you want a demonstration or proof (the last after action review from the last exercise might be useful to see)? Reputation goes a long way...but don't always assume it will hold up.
Microsoft also recently fulfilled their regulatory duty to publicly disclose a material cybersecurity breach to the SEC. This wasn't the kind where the criminals went in to get some customer PII and threaten to release it. It was a fishing expedition by a Russia-backed group. The took advantage of the fact Microsoft never closed certain loops or unsecured aspects of older legacy products. The mentality of we're not using it anymore so no need to do anything about it. Being "lazy," if you will.
The amount of time and money companies like Microsoft spend on their cybersecurity is massive. But even they think doing everything to the letter and being extra is a PITA so they don't do it...until they have to disclose to the public and regulators they enabled the attack by not doing things 100% right the first time. I'm not sure that was a risk they both evaluated and accepted or they just made a bad assumption/didn't even think about it.
You can only truly rely on yourself and know if you did everything you could in advance, who you contract with, what you demand of them, and how many back-up plans you have at the ready. And, with a risk-based assessment, why you choose not to do everything. Become a "hot mess," if you will.
Comments