Third-party vendor management can be a risk to an organization’s data and network security. Enterprises depend on vendors to use security best practices that meet company standards while using their services when they have access to the company network. But that was when most people were working from their company’s physical place of business and there could be stricter cybersecurity oversight.

Now that remote work is the norm, third-party vendors are facing the same security challenges the rest of the organization is. Workers may be using personal devices, sharing devices, working under poor home security practices, using unsecure WiFi and more. 

Chief information security officers and other security decision makers have to rethink some of their protocols to make certain remote workers stay secure. In the same way, they will also need to ensure their third-party vendors are following proper protocol standards. Here are tips to help you evaluate your third-party vendor security when everyone is working remotely.

1. Re-Assess Your Vendor Management Risks

This is a good time to reevaluate each vendor’s overall security posture. How were your vendors’ security standards in 2019? Were they victims of data breaches recently? What type of security plans do they have in place? What type of access does the vendor have to your network and data? Where is data stored? What procedures are in place for data loss prevention or a disruption of service, especially if there is a crisis such as virus spread or a natural disaster?

If your vendor was not meeting your security standards in the past, it may be time to re-assess the relationship.

2. Recognize the Types of Risks Coming From Remote Work

According to Digital Shadows, there are three primary types of risks from third-party vendors: operational, transactional and compliance/regulatory. For your organization to prevent being impacted by these risk types, it is necessary to make sure the vendor’s security protocols are as close as possible to pre-remote work days. There should be an emergency plan, so you can continue with your business continuity if their security fails. Take the steps necessary to meet all compliance requirements for both industry and government standards.

3. Ask Your Vendor How They are Managing Cybersecurity

Proper vendor management includes a continuing dialogue between vendors and your organization’s leadership about how cybersecurity is managed on both sides. Both partners should be aware of how much of the workforce is remote. Who is working onsite? What is the overall security coverage like? How long does it take to address a cyber incident remotely versus onsite? Any former security protocols, such as encryption services or malware detection software, should be included in these conversations.

4. Know Your Vendors 

Do you know all your third-party vendors? If not, this is a good time to find out who your company regularly interacts with and how. A cloud service provider will have access to the corporate infrastructure in a different way than a consultant temporarily working on a project with limited network access. This, in turn, is different from an independent contractor who joins in on video conference calls once a month. Knowing every person or company that is somehow using network connections allows for more defined cybersecurity and better detects potential threats. You may find that you have third-party users with access and credentials they shouldn’t have. 

5. Update Your Service Level Agreements

You already have a contractual agreement with the third party as part of vendor management. Consider adding amendments that cover remote work-related security issues. If you aren’t sure what to include, consider what your own internal policies are and follow those. Again, anyone who has access to your sensitive information should be following the same security procedures whether they are inside or outside the company. These issues to add to the agreements could include “contractual restrictions against remote service locations, difficulty (or impossibility) of maintaining required performance levels, increases in the costs of services delivery and client-required security safeguards that cannot be implemented in a work-from-home environment,” a Lexology blog post advises.

6. Add Multifactor Authentication for Remote Work 

When working onsite, your third-party vendor may have come in person to access applications on your network. With remote work, that may not be possible. While multifactor authentication should be standard all the time, it is especially important when your third-party partners are working remotely and using unknown devices to gain access to the network. Credentials should be unique to each individual user to cut down on credential theft. Credentials should not be handed down to a former associate’s replacement. Also consider using a second or third factor that your company can control, such as Radio Frequency Identification (RFID) cards or biometrics, rather than a SMS or email factor. Always close down the account as soon as business relationships end. 

7. Recognize How Security Systems Impact Vendors

Cybersecurity doesn’t happen in a vacuum. If your vendors are adding a security risk to your business, consider that your workers may be opening up security risks to your third-party partners. Have a policy in place to handle how third-party vendors may be impacted. Because your team may be working remotely and response teams should have representation throughout various departments like legal, marketing and human resources, information technology and security teams, a predetermined emergency response plan will keep the right people informed quickly and will get the word out in an organized manner.

More from Data Protection

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today