How Remote Working Introduces Additional Third-Party Risk
When the coronavirus first reared its ugly head, we didn’t truly understand the implications it would have on our lives and on our businesses. But by March 2020 it was pretty clear that the implications would be huge, beginning with businesses moving their entire operations to remote locations, ostensibly overnight.
This sudden transition from in-company to remote working presented a wave of cybersecurity challenges. Security teams needed to address issues such as lack of strategic support, employees connecting via their own devices and fending off increased phishing attacks. On top of this, the same concerns rippled through the supply chain, where vendors were facing the same security challenges.
Since it’s apparent that remote working will be with us for some time, (and perhaps for some organizations, forever,) it’s important to consider the effects this “new normal” may have on your organization.
Lack of Strategic Support
The history of cybersecurity indicates that the cultural adoption of sound security practices takes time. Conversely, last year security teams were forced to quickly understand a new situation and its challenges and effectively address them with new security policies. Without adequate support from boards and executive teams, companies will fail to overcome the challenges that work-from-home policies can pose on organizations and their third parties. Here are some ways that leaders can help support security teams during this turbulent time.
- Prioritize the development of verification procedures for key issues such as financial transactions, account access reset, credentials and sharing of PII
- Ensure employee involvement through awareness, familiarity with procedures and following instructions
Employees who interact using their own devices with corporate data assets introduce diverse communication platforms and operating systems that require their own dedicated support and security policy implementation. In security jargon, the challenge posed by the variety of platforms and operating systems that prevent the establishment of consistent and enforceable security policy is known as “unmanaged devices.”
In the past few years, security teams understood the need to address this issue of unmanaged devices. Some had done so simply by keeping the number of unmanaged devices to a bare minimum. Now, within a short period of time, these devices have suddenly grown exponentially.
Shadow IT, where employees apply new technologies without needing to go through IT and security departments, is another recent challenge that companies face on a daily basis. Now even companies that were able to somewhat restrict Shadow IT need to consider how a remote workforce exacerbates this issue. Conceivably, thousands of applications can now go under the radar of the security team.
- Deploy two-factor authentication across all employees and systems
- Increase system monitoring, especially for systems that were not previously used remotely
Supply Chain Attacks
Over the last few months, companies with mature security teams have been focusing on controlling shifting workforce habits. Smaller companies, however, have likely had a more difficult time, due to a lack of the necessary know-how and human resources.
With the world’s reliance on the supply chain, companies are dependent on their suppliers’ security. Hackers are aware of the limitations of securing the whole supply chain and have been targeting companies with the goal of penetrating upstream partners, as was the case in the SolarWinds breach.
- Assess your suppliers regarding their security practices in light of work-from-home policies (use Panorays’ readily-available set of questions)
- Ensure that the same security steps that your organization is taking are also being implemented by your suppliers
- Provide suppliers with a remediation plan so that glaring gaps are closed, as needed
Potential Compliance Issues
For any business, especially highly regulated businesses, a major, sudden change like a mass remote workforce can unintentionally lead to noncompliance. For example, an organization may be certified for SOC2, but those controls may not remain in place with people working from home. The same is true about controls around your third-party vendors. Ensuring compliance of your organization, as well as your suppliers, is paramount; non-compliance may result in reputational damage or costly penalties.
- Reduce risk by effectively screening and continuously monitoring your vendors for compliance to regulations
With the right tools, policies and procedures in place, organizations can prevent additional risk and maintain a strong cyber posture for their company and their third-party vendors.