Service Announcement: The Right Questions to Ask Your Vendors in Times of Large-Scale Remote Working

In the wake of coronavirus, companies are now applying immediate work-from-home policies. This sudden and massive change poses a set of new cybersecurity risks and is forcing security teams to take immediate action. 

One of these cybersecurity risks emanates from the supply chain. While a large company may be able to quickly undergo the transition from a relatively concentrated workforce to a large-scale remote workforce, its supply chain partners may not. 

In an effort to ensure the cyber resilience of the supply chain during these turbulent times, Panorays has readily made available the related vendor evaluation criteria, broken down to 18 questions. Companies are welcome to use these questions to assess their vendors’ preparedness for work from home. 

General

  1. Do you already have remote work practices and policies?
  2. How many of your employees already have remote work capabilities?
  3. How much of your day-to-day activity is suitable for remote working today? 
  4. What is your remote access mechanism?
  5. Which client devices are allowed to access your digital assets remotely?

Authentication and Authorization

  1. Do you enforce 2FA for employees with remote work capabilities?
  2. Do you enforce strong passwords for all employees with remote work capabilities?

Resilience and Business Continuity

  1. Is your network structured to support remote access for all of your employees?
  2. Do you expect operational problems or negative impact to your service due to remote access?
  3. Do you expect the pre-agreed SLA might be breached?
  4. Do you backup regularly and require your employees to use and save files only on company-related places (such as internal Google Drive or dedicated services)?
  5. Do you have redundant inbound connectivity for your facilities / internal systems?

Procedure and Processes

  1. Do you train your employees with dedicated security awareness for working in public places such as coffee shops or restaurants? In particular, are they instructed to leave the end point station locked and verify use of a secure Wi-Fi network such as by using an employee’s mobile phone?
  2. Did you train your employees with respect to the above procedures / processes before allowing remote working?
  3. Do you have clear procedures / processes / controls in place for verifying the authenticity of communications (email, phone, IM) with respect to activities such as fund transfers, account creation, account reset, etc.?
  4. Do you have a security solution protecting the end point stations (anti virus, EDR etc)?
  5. Do you have tools or procedures to support remote patch management for your servers, services and end-points?
  6. Do you have a secure manner of communication between employees working remotely?

These questions will help companies assess the cybersecurity risk emanating from their suppliers that have adopted work-from-home practices. 

It’s important to note that considering the sudden shift in business behavior, the regular spreadsheet evaluation process will not work, considering the time and human effort it requires. As such, automation of the process is essential. Doing so will allow companies to easily add questions without the need to resend the full questionnaire, track progress, measure and quickly calculate risk levels. Most of all, it will allow companies to quickly and easily scale this process to ensure their security policy is enforced throughout the supply chain. 

Want to learn more about making sure that your suppliers’ cybersecurity is ready for the challenges of COVID-19? Click here for more information.

You may be interested in

Guides

The CISO’s Guide to Choosing an Automated Security Questionnaire Platform

Case Studies

WalkMe Receives a 360° View of Suppliers Using Panorays

Guides

10 Critical Issues to Cover in Your Vendor Security Questionnaires

This site uses cookies to tailor your experience and understand how visitors use the site. Visit our Privacy Policy for more information.