As organizations attempt to “Flatten the Curve” (i.e., mitigate the spread) of coronavirus (COVID-19) by moving their workforces to be completely remote, they face new cybersecurity risks as the attack surface expands well beyond the traditional network. As companies rush to prepare themselves for the long-term impact of COVID-19, they also need to start considering the new vendor risk management issues associated with their third-party business partners’ remote workforces. As the attack surfaces rapidly expand, point-in-time vendor questionnaires lack the ability to detect security threats under normal circumstances, but with the expanded attack surface, they become even less effective. As you begin your cybersecurity and coronavirus business continuity planning, these five vendor risk management considerations can help protect your company during this COVID-19 pandemic.
On March 10, the New York Department of Financial Services (“NYDFS”) published coronavirus-related guidance to its regulated members. On March 11, NYDFS asked each of its institutions to submit a plan to assess and monitor potential financial risk arising from coronavirus. The plan is due by April 11. Specifically, the request asked institutions’ risk management programs to assess credit risk from counterparties impacted by coronavirus.
Practically speaking, DFS will likely expect that an organization’s risk assessment plan also includes an assessment of counterparties’ cybersecurity preparedness. Do your vendors have cybersecurity contingency planning, particularly given the uncertainties involving coronavirus?
For example, if you currently have a vendor whose technologies interact with traditionally low-risk data but that could move to a network containing personally identifiable information (PII), the expanded attack surface from remote workforce members might shift the risk level.
Being proactive by re-assessing vendors and other potential risks will help protect your company’s data security posture.
Review Service Level Agreements (SLAs) with critical vendors
While any vendor can lead to a data breach, triaging your vendor risk means starting with the vendors who access mission-critical information. SLAs act as the primary contractual agreement between your organization and your vendors’ organizations. These agreements, along with cybersecurity insurance, helps establish the cybersecurity liability that you retain in the event you experience a third-party data security event.
When reviewing the SLAs, you want to determine whether they include:
- Monitoring of all connected devices
- Level of authentication required to access networks
- Continuous network monitoring
- Application security
- Remote employee work policy
Consider applying the same level of analysis to your vendors’ cybersecurity as you use on your own company. You may also wish to review your own SLAs to determine whether they incorporate terms and conditions that allow you to terminate a vendor’s contract for security control weaknesses.
Review vendor web application security policies, processes, and procedures
Remote workforces create a data risk arising from digital information sharing, specifically the amount of data shared via email and chat collaboration services. While this may have been a low-risk issue previously, a potentially global remote workforce may shift this to become a high-risk issue.
When attempting to mitigate vendor risk as part of your evolving threat management, you want to ensure that you know all of the applications used by your vendors, including:
- Email services used
- Direct messaging/Chat applications used
- Video conferencing services used
Even if your organization details its applications as part of its cybersecurity monitoring processes, your vendor may not have incorporated these as potential risks. However, as recently as January 2020, a security vulnerability in Cisco Webex enabled unauthorized users to gain access to password-protected video conferencing calls.
Cybercriminals may look to target these applications that enable remote work more during the Coronavirus pandemic than they did beforehand, which means organizations need to know how their vendors manage these risks.
Understand vendor data encryption policies, processes, and procedures
Many of the web applications used to support a remote workforce also increase the risks associated with unstructured data. Should a cybercriminal gain access to the email service, direct messaging platform, or video conferencing platform, encryption adds the additional layer of security necessary for protecting information.
As part of your due diligence in maintaining a strong vendor risk management program, you need to ask your vendors the following questions:
- What encryption protocols do you have in place for email transmissions?
- Have you used encryption for any other services that transmit information?
- If you have not incorporated encryption for these services, when do you plan to do so and how?
Understanding not only where vendors transmit and share data but how they protect data-in-transit gives you visibility into additional attack vectors that can weaken your security posture.
Re-evaluate your continuous vendor risk monitoring strategy
You may already have a process in place for monitoring vendor cybersecurity risk. In the case of this mass transition to a remote working world, you need to re-evaluate whether your current continuous third-party monitoring method keeps pace with the evolved threat surface.
As part of this re-evaluation, you should consider:
- Visibility into how often vendors apply security patches
- Vendor response time to queries
- Fourth-party vendor security
- Documentation capabilities when discovering a new vendor risk