Third-party vendor management can be a risk to an organization’s data and network security. Enterprises depend on vendors to use security best practices that meet company standards while using their services when they have access to the company network. But that was when most people were working from their company’s physical place of business and there could be stricter cybersecurity oversight.
Now that remote work is the norm, third-party vendors are facing the same security challenges the rest of the organization is. Workers may be using personal devices, sharing devices, working under poor home security practices, using unsecure WiFi and more.
Chief information security officers and other security decision makers have to rethink some of their protocols to make certain remote workers stay secure. In the same way, they will also need to ensure their third-party vendors are following proper protocol standards. Here are tips to help you evaluate your third-party vendor security when everyone is working remotely.
1. Re-Assess Your Vendor Management Risks
This is a good time to reevaluate each vendor’s overall security posture. How were your vendors’ security standards in 2019? Were they victims of data breaches recently? What type of security plans do they have in place? What type of access does the vendor have to your network and data? Where is data stored? What procedures are in place for data loss prevention or a disruption of service, especially if there is a crisis such as virus spread or a natural disaster?
If your vendor was not meeting your security standards in the past, it may be time to re-assess the relationship.
2. Recognize the Types of Risks Coming From Remote Work
According to Digital Shadows, there are three primary types of risks from third-party vendors: operational, transactional and compliance/regulatory. For your organization to prevent being impacted by these risk types, it is necessary to make sure the vendor’s security protocols are as close as possible to pre-remote work days. There should be an emergency plan, so you can continue with your business continuity if their security fails. Take the steps necessary to meet all compliance requirements for both industry and government standards.
3. Ask Your Vendor How They are Managing Cybersecurity
Proper vendor management includes a continuing dialogue between vendors and your organization’s leadership about how cybersecurity is managed on both sides. Both partners should be aware of how much of the workforce is remote. Who is working onsite? What is the overall security coverage like? How long does it take to address a cyber incident remotely versus onsite? Any former security protocols, such as encryption services or malware detection software, should be included in these conversations.
4. Know Your Vendors
Do you know all your third-party vendors? If not, this is a good time to find out who your company regularly interacts with and how. A cloud service provider will have access to the corporate infrastructure in a different way than a consultant temporarily working on a project with limited network access. This, in turn, is different from an independent contractor who joins in on video conference calls once a month. Knowing every person or company that is somehow using network connections allows for more defined cybersecurity and better detects potential threats. You may find that you have third-party users with access and credentials they shouldn’t have.
5. Update Your Service Level Agreements
You already have a contractual agreement with the third party as part of vendor management. Consider adding amendments that cover remote work-related security issues. If you aren’t sure what to include, consider what your own internal policies are and follow those. Again, anyone who has access to your sensitive information should be following the same security procedures whether they are inside or outside the company. These issues to add to the agreements could include “contractual restrictions against remote service locations, difficulty (or impossibility) of maintaining required performance levels, increases in the costs of services delivery and client-required security safeguards that cannot be implemented in a work-from-home environment,” a Lexology blog post advises.
6. Add Multifactor Authentication for Remote Work
When working onsite, your third-party vendor may have come in person to access applications on your network. With remote work, that may not be possible. While multifactor authentication should be standard all the time, it is especially important when your third-party partners are working remotely and using unknown devices to gain access to the network. Credentials should be unique to each individual user to cut down on credential theft. Credentials should not be handed down to a former associate’s replacement. Also consider using a second or third factor that your company can control, such as Radio Frequency Identification (RFID) cards or biometrics, rather than a SMS or email factor. Always close down the account as soon as business relationships end.
7. Recognize How Security Systems Impact Vendors
Cybersecurity doesn’t happen in a vacuum. If your vendors are adding a security risk to your business, consider that your workers may be opening up security risks to your third-party partners. Have a policy in place to handle how third-party vendors may be impacted. Because your team may be working remotely and response teams should have representation throughout various departments like legal, marketing and human resources, information technology and security teams, a predetermined emergency response plan will keep the right people informed quickly and will get the word out in an organized manner.