Are we seeing the light at the end of the Covid tunnel? Possibly. But even as vaccines roll out at increasing speeds and certain companies are deciding to return to their offices, industries need to consider a new cyber threat: employees working from home. They then need to take a long hard look at their process and ask themselves: Where do we go from here?
Let’s backtrack a little…
Where We Were Last Year
The pandemic has forever changed the face of business. A change that happened seemingly overnight. With a large portion of the workforce suddenly unable to work, unemployed, or working from home, the process of how we do business changed dramatically and forever. Guest bedrooms and dens transformed miraculously into home offices, Zoom calls became the rule rather than the exception, and internet use spiked across the globe. This radical push online was likely going to happen anyway but Covid drove us, ready or not, to this premature end. As unprepared employers scrambled to shore up some of their most basic digital loose-ends to quickly enable their employees to work remotely, other, more sinister threats became a reality.
- Phishing schemes emerged to take advantage of all the employees now outside company computer firewalls
- Unencrypted file sharing made documents available to unintended eyes
- Personal devices and open documents invited unwelcomed views of private information
- Weak passwords that otherwise would have had redundant security systems exposed entryways for hackers
- Insecure home Wi-Fi connections became targets for ease of access
In a scramble just to keep their businesses afloat, many organizations simply had to assume and ignore the risk of very real cyber threats stemming from a remote workforce. The world was a very dangerous place in more ways than one as the global pandemic of 2020 took its toll. However, as the vaccine begins to bring us back to “business as usual”, CEOs, board members, and small business owners alike now have the time to examine and prepare for the new normal that is working from home–and need to start doing so right away.
Remote Work Is Here To Stay
The New York Times reported that 60% of adults would prefer to remain working from home in the long term. This means that while some employees are back to secure locations most businesses need to adapt their risk management strategy to account for a dispersed workforce. Furthermore, as of April 22, 2021, 40% of US adults have been vaccinated but we are still not seeing nearly that percentage return to in-person workspaces. Shoved into a new digital age with more tools to conduct business online and less need for expensive brick and mortar locations, many organizations have chosen to continue part or full-time work from home.
Where We Go From Here: Third-Party Risk Management and a Remote Workforce
Third-party Risk Management companies are doing their best to uncover and communicate looming cybersecurity threats from remote work. Its becoming more and more clear that companies face exponential risks along with each of the vendors they do business with. Third-party vendors themselves are still facing sinister threats with security solutions akin to duct tape putting Chief Information Security Officers everywhere in the hot seat to think through protocols to secure remote workers.
Not dissimilarly, CISOs will also likely be involved in shoring up their third-party vendors’ protocols to ensure ongoing security standards. We’ve compiled a list of 5 easily actionable security tips to add to an overall third-party risk management strategy.
Actional Tips to Shore Up Third-Party Risks Moving Forward
1.) Revisit your Vendor Management Risks Early and Often
Just because your vendor filled in a new questionnaire during 2020 doesn’t mean that their risk factors haven’t changed. Similar to your internal processes, think through some of the following questions: Now that the vaccine is sending certain people back to work, does your vendor now have a half-home half-work-based force? And how are they managing their risks associated with that mix? What procedures do they have in place for data corruption, loss, or breach? Were they exposed during past data breaches? And how are they continually working against that and future exposures?
A good rule of thumb to follow is, as soon as you notice a change in your risk factors, check in with all of your vendors. Early and often is the best way to stay ahead of new risks.
2.) Know Your Vendors & Ask Your Vendors Specific Questions About Their Cybersecurity Protocols…and Offer To Help
It may seem incredibly simple but spending time understanding your vendors’ business models may help you identify risks they may not see. And, as you may have been working with them for a long time, you are perfectly situated to ask them very specific questions that both help them plug risks holes and cover your company’s exposures for continued work with them.
3.) Recognize How Security Systems Impact Your Vendors
If your vendors are adding cybersecurity risks to your overall business profile, make sure your emergency risk response plan accounts for your third-party vendors. While it’s never exciting or easy to dedicate resources to creating a worst-case emergency plan, make sure to use the pandemic as an example of why these precautionary steps are so important to overall risk management strategies.
4.) Think Critically About the Kinds of Developing Risks Coming From Remote Working
Remote working is here to stay. So it’s important for companies to continually update their policies, practices, tools, and approach to having a remote workforce. Perhaps your employees are now able to work remotely from anywhere. Does that mean they are in public spaces? Are they working from abroad with insecure or unpredictable Wi-Fi? Or, perhaps, they are using their own devices for ongoing remote work. Does your company have a policy or budget to help them upgrade when the time inevitably comes? Risks can disguise themselves as unexpected budgetary line items or hide in unfamiliar environments. It’s important to stay out ahead of what your employees are doing.
5.) Require Two-Factor Authentication for All Remote Working Technologies
Annoying but effective, two-factor or multi-factor authentication is essential to securing your employee’s devices, your information, and potentially that of your clients. Try to find a way to roll out these new requirements in a way that doesn’t make everyone grunt and roll their eyes at the same time–we wish you luck.
In short, moving from a reactionary to a proactive methodology is the only way to safely move forward with organizational cybersecurity risk. This, alongside having a proven way to deal with a constantly changing risk environment is what will set your company apart and ensure that third-party risks are kept to a minimum.