Weathering the Pandemic Storm: You & Your Vendors Are in the Same Boat

Sudden change can be chaos personified. Fear, uncertainty and doubt are everywhere; and while we’ve always known there are thousands of events that can activate our pandemic plans, did anyone really expect a total governmental shutdown? Probably not. Sudden change can be shocking. Shutting down the world was shocking to say the least. Life changed for us all, but perhaps those most affected within organizations were our technology teams.

The status quo has shifted, and now we all are more than familiar with the acronym “WFH” (work from home). In fact, it’s not uncommon to join video calls with one or both parents working from home, and a pack of home-schooled children executing wind sprints from one side of the house to the other. The funny thing is, everybody is suddenly more than okay with having pets and kids running around during video calls. Personally, I hope that never changes.

But there are other areas that do need to change. Your organization invests in understanding its own cybersecurity and now, more than ever, must invest further by ensuring your organization’s vendors are taking care of their cyber hygiene. Understanding your vendors’ cybersecurity posture can greatly reduce your risk. Your vendors are going through the very same pandemic we are all wading through. Do you know how they are securing your organization’s data?

Before COVID-19, we looked at SOC reports and did everything we could to ensure every critical and high-risk vendor was doing everything they could to secure our customer data. Today, we must do more.

How can you secure a remote workforce in this brave new world?

Remember, the pieces of a solid cybersecurity program remain unchanged in the face of a pandemic. We all need a strong Security Education, Training, and Awareness (SETA) program. Remember, cybersecurity is a team sport! Even if we’d rather sit this one out, participation, at this point, is non-optional. It’s more important than ever for us to make sure we’re training every employee on how the bad guys operate.

We need to make sure we know who our stakeholders are, and we need to keep the lines of communication completely open. We also must make sure we have the appropriate budget to keep all the technology in place and operational. Today’s budget for cybersecurity should be a little larger than it was before COVID-19.

Pandemics are one of the many environmental risks we must consider in our business continuity management plans. Planning for a pandemic isn’t fun; but the first step towards creating one is making sure you have a business impact analysis (BIA). A BIA is an analysis to determine if your organization can operate effectively while the vendor is unavailable. The BIA can help determine the processes that are critical to your operation so that your workforce knows what’s the most important to restore first should disaster strike.

Once you’ve determined what the important processes are, as well as the order in which they must be recovered in order for your organization to minimize the impact of an event (pandemics are events too), you can then determine the following:

• Recovery time objectives (RTOs): The targeted duration of time in which the vendor must restore a business process, post-disruption, to avoid unacceptable consequences associated with business continuity.
• Recovery point objectives (RPOs): How much data may be lost if data needs to be recovered. Typically, this matches with your backup or replication frequency.
• Maximum tolerable downtime (MTD): The maximum period of time that the vendor can be down before their survival is at risk.

What’s good for you is also GREAT for your vendors!

Now is the time to revisit our security architectures to ensure they’re going to meet the needs of a WFH world. While we’re doing this review, we need to dial into our vendors’ security architectures as well to make sure they blend well with our own.

One of the fundamental tenants of information security is to know what’s on your network, such as what equipment is on the network and if it’s being patched appropriately. Asset identification is critical today. When everyone is working from home, we have a more difficult time seeing all the devices on our networks.

Of course, we’ll all need to update our business continuity management plans. The lessons learned sessions that will come out of COVID-19 will be epically illuminating. Our risk management strategies and tactics will have to be revisited as well, and we’ll need to ask hard questions about risk moving forward. We may even decide that some of the risks we were willing to accept, are now risks we want to avoid altogether.

An event like COVID-19 dramatically points out one weakness almost all organizations are now lamenting: training (and cross-training.) We need to make sure we have at least two well-schooled people who are virtually interchangeable and can keep the wheels on the bus going ‘round. (Can you tell I’ve been at home too long?)

12 Common Cybersecurity Mistakes You and Your Vendors Want to Avoid

So, while we’re here, let’s take a look at a few areas you should ensure your vendors are keeping clear of:

1. Believing they’re the exception. The one thing people absolutely must understand is that hackers aren’t picky. They go after any low hanging fruit. A crisis puts a lot of fruit and infrastructure at risk.
   
   
2. Lack of a SETA program. It’s more important than ever to ensure we constantly educate our workforce on the ploys bad actors use to deceive us all. Awareness is understanding and understanding is knowledge.
   
   
3. Pointing fingers at malware. Malware is one of the tools every hacker has in their arsenal. And keep in mind, it’s a tool they use AFTER they have conned a human into doing something that will compromise the network. Hackers use social engineering the way a mechanic uses a crescent wrench.
   
   
4. Not monitoring network activity. Your vendors need to be monitoring the activity on their networks closer than ever before. We need to know what’s running on our infrastructure. It could be a bad actor!
   
   
5. Missing the basics of cybersecurity. Enough said here! They should be educating themselves and aware of the basics.
   
   
6. Failing to locate data. We need to know where our vendors are keeping our data and how they are safeguarding it. Is our data encrypted? It should be.
   
   
7. Not testing the security. You always “think” you have everything secure, but you have to test to BE sure. Your vendors are in the same boat. Ask for copies of their test results, post-testing lessons learned or any hard proof they are handling your data the way you would.
   
   
8. Foregoing training. Just like any professional sport, you have to constantly train to stay competitive, and cybersecurity is competitive. A small to medium-sized organization in the U.S. will see around 500 million exploits pass by their firewalls every year. That’s a lot of competition.
   
   
9. Not assessing vendor risks. If you fail to assess risk up front for products and services, and you fail to do the same for the vendor’s corporate persona, you’ll eventually have a vendor fail. If you fail to do your ongoing due diligence, which includes revisiting your risk assessments at least annually, you're risking a vendor failure. The consequences of failing to properly assess your risks and those your vendors pose to your organization may be unrecoverable for your organization.
   
   
10. Failing to map data flows. In a WFH world, it’s mission critical that you have current, “as built” data flow diagrams. Know where your vendors are storing your information and how they’re processing that data for you.
    
    
11. Overlooking “shadow IT.” Find out if your vendors know they have shadow IT operations, which is the use of IT systems, devices, software, apps and services without explicit IT department approval. It’s common today, especially with the use of cloud-based services, but it’s also a cause for extra expense and security issues. To prevent security issues due to shadow IT: communicate. Make sure to engage the users to better understand what tools they’re using, and if they're not using company-provided tools, ask why.
    
    
12. Failing to work closely with your stakeholders. Make sure your vendors have open lines of communication with their stakeholders…your organization is one of those stakeholders!

It’s a wild world, and in order to keep fear, uncertainty and doubt at bay, all of us have to be willing to take a long hard look at our programs and cybersecurity procedures. It’s not easy, but it’s better to face it head on then operate in the dark.

Need more help dealing with current COVID-19 related challenges? Download the infographic.