Posted on Mar 13, 2020
As organizations attempt to “Flatten the Curve” (i.e., mitigate the spread) of coronavirus (COVID-19) by moving their workforces to be completely remote, they face new cybersecurity risks as the attack surface expands well beyond the traditional network. As companies rush to prepare themselves for the long-term impact of COVID-19, they also need to start considering the new vendor risk management issues associated with their third-party business partners’ remote workforces. As the attack surfaces rapidly expand, point-in-time vendor questionnaires lack the ability to detect security threats under normal circumstances, but with the expanded attack surface, they become even less effective. As you begin your cybersecurity and coronavirus business continuity planning, these five vendor risk management considerations can help protect your company during this COVID-19 pandemic.
On March 10, the New York Department of Financial Services (“NYDFS”) published coronavirus-related guidance to its regulated members. On March 11, NYDFS asked each of its institutions to submit a plan to assess and monitor potential financial risk arising from coronavirus. The plan is due by April 11. Specifically, the request asked institutions’ risk management programs to assess credit risk from counterparties impacted by coronavirus.
Practically speaking, DFS will likely expect that an organization’s risk assessment plan also includes an assessment of counterparties’ cybersecurity preparedness. Do your vendors have cybersecurity contingency planning, particularly given the uncertainties involving coronavirus?
For example, if you currently have a vendor whose technologies interact with traditionally low-risk data but that could move to a network containing personally identifiable information (PII), the expanded attack surface from remote workforce members might shift the risk level.
Being proactive by re-assessing vendors and other potential risks will help protect your company’s data security posture.
While any vendor can lead to a data breach, triaging your vendor risk means starting with the vendors who access mission-critical information. SLAs act as the primary contractual agreement between your organization and your vendors’ organizations. These agreements, along with cybersecurity insurance, helps establish the cybersecurity liability that you retain in the event you experience a third-party data security event.
When reviewing the SLAs, you want to determine whether they include:
Consider applying the same level of analysis to your vendors’ cybersecurity as you use on your own company. You may also wish to review your own SLAs to determine whether they incorporate terms and conditions that allow you to terminate a vendor’s contract for security control weaknesses.
Remote workforces create a data risk arising from digital information sharing, specifically the amount of data shared via email and chat collaboration services. While this may have been a low-risk issue previously, a potentially global remote workforce may shift this to become a high-risk issue.
When attempting to mitigate vendor risk as part of your evolving threat management, you want to ensure that you know all of the applications used by your vendors, including:
Even if your organization details its applications as part of its cybersecurity monitoring processes, your vendor may not have incorporated these as potential risks. However, as recently as January 2020, a security vulnerability in Cisco Webex enabled unauthorized users to gain access to password-protected video conferencing calls.
Cybercriminals may look to target these applications that enable remote work more during the Coronavirus pandemic than they did beforehand, which means organizations need to know how their vendors manage these risks.
Many of the web applications used to support a remote workforce also increase the risks associated with unstructured data. Should a cybercriminal gain access to the email service, direct messaging platform, or video conferencing platform, encryption adds the additional layer of security necessary for protecting information.
As part of your due diligence in maintaining a strong vendor risk management program, you need to ask your vendors the following questions:
Understanding not only where vendors transmit and share data but how they protect data-in-transit gives you visibility into additional attack vectors that can weaken your security posture.
You may already have a process in place for monitoring vendor cybersecurity risk. In the case of this mass transition to a remote working world, you need to re-evaluate whether your current continuous third-party monitoring method keeps pace with the evolved threat surface.
As part of this re-evaluation, you should consider:
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.