< Back to Blog
How Remote Working Introduces Additional Third-Party Risk
Security Best Practices & Advice

How Remote Working Introduces Additional Third-Party Risk

By Elad Shapira Feb 02, 20214 min read

When the coronavirus first reared its ugly head, we didn’t truly understand the implications it would have on our lives and on our businesses. But by March 2020 it was pretty clear that the implications would be huge, beginning with businesses moving their entire operations to remote locations, ostensibly overnight.

This sudden transition from in-company to remote working presented a wave of cybersecurity challenges. Security teams needed to address issues such as lack of strategic support, employees connecting via their own devices and fending off increased phishing attacks. On top of this, the same concerns rippled through the supply chain, where vendors were facing the same security challenges.

Since it’s apparent that remote working will be with us for some time, (and perhaps for some organizations, forever,) it’s important to consider the effects this “new normal” may have on your organization.

Lack of Strategic Support

The history of cybersecurity indicates that the cultural adoption of sound security practices takes time. Conversely, last year security teams were forced to quickly understand a new situation and its challenges and effectively address them with new security policies. Without adequate support from boards and executive teams, companies will fail to overcome the challenges that work-from-home policies can pose on organizations and their third parties. Here are some ways that leaders can help support security teams during this turbulent time.

Pro tips: 

  • Prioritize the development of verification procedures for key issues such as financial transactions, account access reset, credentials and sharing of PII
  • Ensure employee involvement through awareness, familiarity with procedures and following instructions

Technology Risks 

Employees who interact using their own devices with corporate data assets introduce diverse communication platforms and operating systems that require their own dedicated support and security policy implementation. In security jargon, the challenge posed by the variety of platforms and operating systems that prevent the establishment of consistent and enforceable security policy is known as “unmanaged devices.” 

In the past few years, security teams understood the need to address this issue of unmanaged devices. Some had done so simply by keeping the number of unmanaged devices to a bare minimum. Now, within a short period of time, these devices have suddenly grown exponentially. 

Shadow IT, where employees apply new technologies without needing to go through IT and security departments, is another recent challenge that companies face on a daily basis. Now even companies that were able to somewhat restrict Shadow IT need to consider how a remote workforce exacerbates this issue. Conceivably, thousands of applications can now go under the radar of the security team. 

Pro tips:

  • Deploy two-factor authentication across all employees and systems
  • Increase system monitoring, especially for systems that were not previously used remotely

Supply Chain Attacks

Over the last few months, companies with mature security teams have been focusing on controlling shifting workforce habits. Smaller companies, however, have likely had a more difficult time, due to a lack of the necessary know-how and human resources. 

With the world’s reliance on the supply chain, companies are dependent on their suppliers’ security. Hackers are aware of the limitations of securing the whole supply chain and have been targeting companies with the goal of penetrating upstream partners, as was the case in the SolarWinds breach.

Pro tips:

  • Assess your suppliers regarding their security practices in light of work-from-home policies (use Panorays’ readily-available set of questions)
  • Ensure that the same security steps that your organization is taking are also being implemented by your suppliers
  • Provide suppliers with a remediation plan so that glaring gaps are closed, as needed

Potential Compliance Issues

For any business, especially highly regulated businesses, a major, sudden change like a mass remote workforce can unintentionally lead to noncompliance. For example, an organization may be certified for SOC2, but those controls may not remain in place with people working from home. The same is true about controls around your third-party vendors. Ensuring compliance of your organization, as well as your suppliers, is paramount; non-compliance may result in reputational damage or costly penalties. 

Pro tip:

With the right tools, policies and procedures in place, organizations can prevent additional risk and maintain a strong cyber posture for their company and their third-party vendors. 

humbnail
Elad Shapira

Elad Shapira is Head of Research at Panorays. As a cybersecurity lecturer and self-described geek, he likes hardware hacking, low level development, playing Capture the Flag and making and breaking things.

You may also like...
Can You Predict or Prevent a Breach Like SolarWinds?
Feb 25, 2021 Can You Predict or Prevent a Breach Like SolarWinds? Demi Ben-Ari
New Guide: Automating Third-Party Cyber Risk Management
Feb 18, 2021 New Guide: Automating Third-Party Cyber Risk Management Yaffa Klugerman
5 Ways to Prevent Third-Party Data Breaches
Feb 11, 2021 5 Ways to Prevent Third-Party Data Breaches Yaffa Klugerman
Get our latest posts straight to your inbox Subscribe

We use cookies to ensure you get the best experience on our website. Visit our Privacy Policy for more information.