Why Third-Party Risk Management Has Never Been More Important
Sibel Bagcilar | March 23, 2020
Over recent weeks, the ongoing spread of the COVID-19 coronavirus has forced companies around the country to make difficult decisions about how they can do their part to protect their employees — as well as their communities as a whole.
In an effort to halt the spread of the virus, more and more organizations are instituting a mandatory work from home (WFH) policy, but, in doing so, they’re being faced with a variety of new challenges that make maintaining the desired cybersecurity posture — both internally and within their third-party network — more complex than ever. Furthermore, more organizations are seeking to acquire software ad technology to help accommodate new business requirements. In order to prevent unknown risk from entering your ecosystem, it’s critical that you have a plan in place to rapidly assess, monitor, manage, and mitigate third-party risk.
More risk, less control
When organizations work remotely on such a widespread scale, they open themselves up to new and evolving threats. At a basic level, it’s increasingly difficult for an IT team to enforce stringent security controls and policies when employees are operating from disparate locations on various networks and devices. While some team members may be working on unpatched machines that haven’t been connected to the corporate VPN in days or weeks, others may connect to unsecure, shared WiFi networks while at home.
To make matters worse, opportunistic hackers are taking advantage of the ongoing fear surrounding the pandemic. Bad actors are targeting individuals with phishing emails that appear to come from an official source, such as the Centers for Disease Control (CDC). These emails contain a malware-ridden attachment that infects the computer in question and steals the individual’s personal information.
These risk factors are hard to assess and mitigate in your own organization — and even more difficult to monitor when it comes to your third- and fourth-party network, where you have less visibility and control.
Vendor assessment challenges
Given the current risk outlook during the coronavirus pandemic, the need for companies to collect cybersecurity data about their vendors has never been more critical. That being said, recent travel bans and widespread WFH policies prevent on-site evaluations from being a viable option, completely upending traditional ways of assessing third-party risk. In addition, organizations that have previously leveraged consultants to aid in their evaluation processes now need to rethink their approach. As most consultants will no longer be traveling, it’s more difficult than ever for companies to rely on these outside agencies for assessment insights — meaning many security leaders will need to come up with new policies and procedures to bring these programs in-house.
Of course, any current or new manual assessment processes will be slower and more stressful than ever due to the disconnects and challenges that come with a newly remote workforce. This is a challenge in the current environment with business requirements necessitating rapid software and technology acquisition. Furthermore, even with the latest video conferencing capabilities, brainstorming sessions and planning meetings will be increasingly difficult when everyone’s in a different location and relying on potentially flawed home WiFi networks.
In order to promote efficient and effective vendor assessment and onboarding processes in these conditions, it’s critical to streamline and automate wherever possible. Many organizations will need to completely rethink their assessment schedule and policy to include more remote monitoring capabilities. By leveraging a dynamic, standardized cyber risk KPI, like security ratings, to assess each potential vendor’s security posture side-by-side, you can immediately identify areas of risk that require attention — and make data-driven evaluation decisions with the limited remote resources you have today.
Developing remediation contingencies
Once a vendor has been onboarded, it’s critical to continuously monitor their security posture to ensure they’re maintaining the previously agreed-upon risk thresholds. As security ratings are updated on a daily basis, you can easily leverage this data to track any security shifts in your third-party network from your remote working location.
Of course, monitoring only goes so far. If you identify critical vulnerabilities that pose a risk to your ecosystem, you need to have a remediation plan in place. That being said, in this age of mandated WFH policies, your previously agreed-upon plans will likely need to be reassessed and updated.
As part of your third-party risk management initiative, make sure you align with all your current vendors regarding how their remote workforce will handle any security issues that arise over the coming weeks and months. For instance, you should confirm that they have a plan in place to resolve any data center vulnerabilities, given that no employees will likely be permitted to travel there.
As is the case whenever you update vendor security expectations, make sure that any and all contingencies are documented in writing and agreed upon. Outline the preferred forms of communication and be as specific as possible when defining time frame expectations. For instance, you may require that vendors inform you of any breaches within 24 hours and remediate any security issues within 48 hours.
Closing the security (and communication) gaps
During these uncertain times, it’s more important than ever to be proactive and vigilant when it comes to your organization’s cybersecurity. Don’t let a security incident be the first time you reconnect with your third parties about new processes and standards you need to implement during this global crisis. As the workforce goes remote and new targeted threats become increasingly prevalent, it’s critical to have a plan in place to continuously evaluate and manage both your security posture and that of your vendor ecosystem.
Of course, given the current resource restrictions and unprecedented stress on the overall digital supply chain, every organization is going to need to start by reassessing (and potentially overhauling) their existing policies and procedures. In many ways, this is uncharted territory and no security leader is going to have all the right answers immediately — but you must be willing to think outside of the box to accomplish your responsibilities, support your team, and protect your network in this new and evolving risk environment.
To learn more about how BitSight for Third-Party Risk Management can help you monitor and mitigate risk present throughout your vendors’ ecosystems, check out our white paper or ask for a demo.
Cyber risk is everywhere. As organizations become increasingly interconnected — across business units, geographies, subsidiaries, remote offices, and third-party networks — the digital ecosystem is expanding rapidly. And this increased ...