Third-party vendor management can be a risk to an organization’s data and network security. Enterprises depend on vendors to use security best practices that meet company standards while using their services when they have access to the company network. But that was when most people were working from their company’s physical place of business and there could be stricter cybersecurity oversight.

Now that remote work is the norm, third-party vendors are facing the same security challenges the rest of the organization is. Workers may be using personal devices, sharing devices, working under poor home security practices, using unsecure WiFi and more. 

Chief information security officers and other security decision makers have to rethink some of their protocols to make certain remote workers stay secure. In the same way, they will also need to ensure their third-party vendors are following proper protocol standards. Here are tips to help you evaluate your third-party vendor security when everyone is working remotely.

1. Re-Assess Your Vendor Management Risks

This is a good time to reevaluate each vendor’s overall security posture. How were your vendors’ security standards in 2019? Were they victims of data breaches recently? What type of security plans do they have in place? What type of access does the vendor have to your network and data? Where is data stored? What procedures are in place for data loss prevention or a disruption of service, especially if there is a crisis such as virus spread or a natural disaster?

If your vendor was not meeting your security standards in the past, it may be time to re-assess the relationship.

2. Recognize the Types of Risks Coming From Remote Work

According to Digital Shadows, there are three primary types of risks from third-party vendors: operational, transactional and compliance/regulatory. For your organization to prevent being impacted by these risk types, it is necessary to make sure the vendor’s security protocols are as close as possible to pre-remote work days. There should be an emergency plan, so you can continue with your business continuity if their security fails. Take the steps necessary to meet all compliance requirements for both industry and government standards.

3. Ask Your Vendor How They are Managing Cybersecurity

Proper vendor management includes a continuing dialogue between vendors and your organization’s leadership about how cybersecurity is managed on both sides. Both partners should be aware of how much of the workforce is remote. Who is working onsite? What is the overall security coverage like? How long does it take to address a cyber incident remotely versus onsite? Any former security protocols, such as encryption services or malware detection software, should be included in these conversations.

4. Know Your Vendors 

Do you know all your third-party vendors? If not, this is a good time to find out who your company regularly interacts with and how. A cloud service provider will have access to the corporate infrastructure in a different way than a consultant temporarily working on a project with limited network access. This, in turn, is different from an independent contractor who joins in on video conference calls once a month. Knowing every person or company that is somehow using network connections allows for more defined cybersecurity and better detects potential threats. You may find that you have third-party users with access and credentials they shouldn’t have. 

5. Update Your Service Level Agreements

You already have a contractual agreement with the third party as part of vendor management. Consider adding amendments that cover remote work-related security issues. If you aren’t sure what to include, consider what your own internal policies are and follow those. Again, anyone who has access to your sensitive information should be following the same security procedures whether they are inside or outside the company. These issues to add to the agreements could include “contractual restrictions against remote service locations, difficulty (or impossibility) of maintaining required performance levels, increases in the costs of services delivery and client-required security safeguards that cannot be implemented in a work-from-home environment,” a Lexology blog post advises.

6. Add Multifactor Authentication for Remote Work 

When working onsite, your third-party vendor may have come in person to access applications on your network. With remote work, that may not be possible. While multifactor authentication should be standard all the time, it is especially important when your third-party partners are working remotely and using unknown devices to gain access to the network. Credentials should be unique to each individual user to cut down on credential theft. Credentials should not be handed down to a former associate’s replacement. Also consider using a second or third factor that your company can control, such as Radio Frequency Identification (RFID) cards or biometrics, rather than a SMS or email factor. Always close down the account as soon as business relationships end. 

7. Recognize How Security Systems Impact Vendors

Cybersecurity doesn’t happen in a vacuum. If your vendors are adding a security risk to your business, consider that your workers may be opening up security risks to your third-party partners. Have a policy in place to handle how third-party vendors may be impacted. Because your team may be working remotely and response teams should have representation throughout various departments like legal, marketing and human resources, information technology and security teams, a predetermined emergency response plan will keep the right people informed quickly and will get the word out in an organized manner.

More from Data Protection

Heads Up CEO! Cyber Risk Influences Company Credit Ratings

4 min read - More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating. Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks. Getting Hacked Impacts Credit Scoring As per the Wall Street Journal…

4 min read

IBM Security Guardium Ranked as a Leader in the Data Security Platforms Market

3 min read - KuppingerCole named IBM Security Guardium as an overall leader in their Leadership Compass on Data Security Platforms. IBM was ranked as a leader in all three major categories: Product, Innovation, and Market. With this in mind, let’s examine how KuppingerCole measures today’s solutions and why it’s important for you to have a data security platform that you trust. The Transformation of the Data Security Industry As digital transformation continues to expand, the impact it has had on enterprises is very apparent when…

3 min read

SaaS vs. On-Prem Data Security: Which is Right for You?

2 min read - As businesses increasingly rely on digital data storage and communication, the need for effective data security solutions has become apparent. These solutions can help prevent unauthorized access to sensitive data, detect and respond to security threats and ensure compliance with relevant regulations and standards. However, not all data security solutions are created equal. Are you choosing the right solution for your organization? That answer depends on various factors, such as your industry, size and specific security needs. SaaS vs. On-Premises…

2 min read

Understanding the Backdoor Debate in Cybersecurity

3 min read - The debate over whether backdoor encryption should be implemented to aid law enforcement has been contentious for years. On one side of the fence, the proponents of backdoors argue that they could provide valuable intelligence and help law enforcement investigate criminals or prevent terrorist attacks. On the other side, opponents contend they would weaken overall security and create opportunities for malicious actors to exploit. So which side of the argument is correct? As with most debates, the answer isn't so…

3 min read