While vendor cybersecurity preparedness has always been important, it's an especially hot topic in our current pandemic environment. With a massive shift to remote work environments, better understanding of our vendors’ cybersecurity has never been so crucial. It's also a non-negotiable part of any holistic third-party risk management program.
Vendor Cybersecurity Risk Increased Due to the Pandemic
Unfortunately, chaos often begets chaos, and the effects of the pandemic are no exception. The rapid shift in our workforce has opened us up to a plethora of threats related to expanded network access.
Here are three to consider:
- Remote workforce risks. Working from home stresses a lot of systems, internet service providers, cable service providers and operating systems. Additionally, many organizations don’t have policies or security systems in place to protect data accessed outside of normal operating facilities, increasing exposure to risk exponentially.
- Bad actors are especially alert. Unfortunately, scammers don’t slowdown in times like these, in fact they're more primed than ever to take advantage of vulnerabilities, using phishing schemes, malware and generally preying on overtaxed systems.
- Loss of key workers. During the time of pandemic and response, if your vendor’s team is depleted due to sickness or quarantine procedures, what is their contingency for response? If they have a true incident in their environment, how will they handle it if the primary incident handlers are unavailable?
Why Is Vendor Cybersecurity Important?
Monitoring your vendor’s cybersecurity posture has always been a hugely important part of regular due diligence practice. Yet, our current environment underscores its importance more clearly than ever.
Here are the top two reasons you need a strong cybersecurity posture:
- Cybersecurity preparedness mitigates risk. How? By allowing you to influence the vendor to strengthen their controls, supplement their controls with your own and decide on whether you should stay with that vendor, as needed. A good way to monitor a vendor’s security controls is by reviewing their SOC 2 report or a comparable audit report available. A vendor breach can have a big impact on you and your brand – it’s what we call reputational risk and it’s not territory you ever want to find yourself in.
- Cybersecurity is a hot button for regulators. Now, more than ever, regulators are watching to make sure organizations are following through with guidance and regulation. It’s commonly required to demonstrate your organization is taking proactive steps to identify and mitigate potential areas of cybersecurity weakness with your vendors. You’re expected to cover the CIA Information Security Triad in processes, which covers confidentiality, integrity and availability, as well as be compliant with regulations like GDPR and CCPA, just to name a couple. There's also been talk of many more states following California and New York’s lead to crack down on regulations which means there will only be an increase in cybersecurity oversight and requirements.
Additionally, it’s important to remember that in many cases your own clients are required by a government or industry regulation to ask for documentation in order to determine if they should continue doing business with you. If you want to serve those industries, you need to be prepared and have proof that your vendors are, too.
What Should You Look for in Your Vendor’s Cybersecurity Plan?
Because our current pandemic situation has seen such a huge shift towards remote workforce and bad actors are attempting more fervently than ever to knock down doors, it’s important to reinforce that our vendors have the appropriate cybersecurity controls in place. So, what else should you be looking for?
As you’re reviewing your vendors’ cybersecurity plans, there are 4 primary areas to consider:
- Security testing. This is a great way to identify weakness in a tangible format. Your vendors’ reported security testing should include regular, standardized penetration testing of internal and external networks as well as social engineering testing. Social engineering testing should include things such as:
- Simulated phishing emails
- Employee awareness tests
Regular security testing should also come with documented follow up to findings as well as mitigation of any issues that were found. You want to make sure that your vendor has demonstrated that they’re testing for weaknesses, following up on any issues and fixing them within an appropriate time window. Your vendor should be able to provide documented evidence that security testing is done annually (at least) and by an impartial third party.
- Sensitive data security. In our current environment, you want to make sure that vendors have measures in place for any changes in storage to sensitive data. Understanding how vendors secure your data at rest and in transit is monumental. They should have controls such as:
- Data retention and destruction policies
- Data classification and privacy policies, access management, etc.
- Remote access and infrastructures policies
Ask yourself: If their workforce is working from home now, what measures do they have in place to secure data for remote workers?
- Employee, contractor and vendor management training. With employee, contractor and vendor management safeguards and training, you have to understand the vendor’s ability to ensure their agents are prepared to protect your data. Training of these groups as well as documented and enforced access management are critical to data protection. Some of the ways a third party can offer assurance that anyone with access to your data is properly trained include:
- Confidentiality agreements
- Security training
- Management of vendors
- Access management
- Incident detection and response. It’s inevitable: incidents will happen. The key to minimizing the impact is discovering them quickly and having a plan to address them effectively. Your vendor should be able to demonstrate what they plan do if an incident occurs, and should be able to provide documentation around the following:
- How they’ll identify an incident
- Their response plan and notification procedures
- Contingency for response if the team is depleted due to sickness or quarantine procedures, especially during the time of pandemic
- How they’ll handle a true incident in their environment if primary handlers are unavailable
Pro tip: Cyber insurance isn’t a substitute for security, but it can offer a level of assurance that a vendor takes cybersecurity seriously. As far as insurance goes, errors and omissions, cybercrime and sabotage are just some insurance coverages that offer a level of risk transfer to your organization and protection against cyber exposures.
From a planning standpoint, you need to consider all of the possible problems that could occur, what steps you need to be prepared to take and how long until normal operations can resume in order to minimize the impact to your organization and your customers.
When it comes to cybersecurity, we all must consider our current climate and how organizations are choosing to work. Whatever you do, don’t forget the importance of documentation. When it comes to the regulators, if it isn’t documented it didn’t happen. The same goes for ongoing monitoring... make sure to keep it up!
You’ve heard the saying before that a chain is only as strong as its weakest link, and that’s particularly true of the world of third-party risk management. Industry best practice and regulatory guidance wants you to consider all of the potential ramifications posed by a third party, whether in the form of a data breach or a significant business disruption like we’ve experienced with COVID-19.
There are 10 steps that you need be taking during a pandemic for third-party risk. Download the infographic.