Third-party risk management in the age of a pandemic

April 01, 2020//Tony Howlett

Last Updated: April 14, 2020

Anyone who reads my articles or blog knows that I talk about Third-Party Risk Management (TPRM) a lot. It is my stock in trade after all, but how does TPRM change when literally everything is changing, albeit temporarily? Not surprisingly, third-party risks have only expanded during this period for a number of factors while the resources needed to deal with them may be strained or overloaded. 

In this article, I will discuss these changes to the third-party risk environment and some strategies and tips to deal with them during this once-in-a-lifetime event. First, let’s talk about the new challenges facing IT and security professionals. 

Expanded attack surfaces

With much of the U.S. and the world working from home now, the perimeters for enterprises have expanded dramatically overnight. In terms of third parties, this is also the case as companies are leaning on more outside contractors and vendors to help fill the gaps in workforces created by the coronavirus and its effects. This means your perimeter is now spread out over hundreds or thousands of employee’s and vendor’s home networks. And this includes IT administrators working from home who need to access internal networks to do critical tasks. This can be challenging in multiple ways; for example server patches and upgrades must now be done remotely with a higher risk for outages or problems as they can’t access the equipment physically if it fails to come back up. Also, this exponential expansion of the corporate perimeter into home networks that generally don’t have the same standards of cybersecurity hygiene as your corporate network. Add to that employees who are new to working at home and may not have the knowledge on how to work securely in these environments and you have a scenario ripe for a breach. 

With these radical changes coming in a short amount of time, two simple things can help you control and limit this risk. First of all, education is your friend here. Consider putting out, or updating, internal guides on how to work securely from home. Here are some key points to ensure you hit on:

  • As much as is possible, practice good cyber hygiene with your other devices at home. This includes keeping up to date anti-virus on them, using a home firewall, and avoiding risky activities such as surfing illicit sites or downloading pirated material.  Any infected computer on your home network could potentially infect your work computer.
  • Only use WiFi that uses a password and encryption and check the Wifi access point names against those that businesses publish as official.
  • Keep your work laptop in sleep mode or shutdown and the lid shut when you are not using it.

Also, make sure to communicate often with employees and vendors on the policies for secure remote access and enforce those rules. And, as you add third party entities who need access, don’t cut corners on your onboarding processes. Make sure you identify every vendor rep coming into your systems and network and give them individual logins. A vendor management system can assist with this task. 

Additionally, with most of our endpoints now existing in at least mildly hostile environments, you need to put in additional controls and strengthen your existing ones. Make sure all home workstations have up-to-date operating systems, anti-virus software, and applications are key. You should also consider updating your data governance plan (you do have one, right?) to take into account that many employees and contractors will now be doing all their work from these locations versus just occasionally working from home or the road. This means administrators will often be using their admin accounts remotely and regular employees may be accessing sensitive data more often. You may want to enforce Multi-Factor Authentication (MFA) more often, or universally. Also, if you aren’t already doing that for administrators, you may be in violation of key regulations. Oh, and speaking of compliance, make sure you have your compliance department review the use of data in employee’s homes and make sure that it doesn’t cause issues with new privacy laws such as CCPA and GDPR. 

Increased and evolving attacks

While there have been a few high profile hacker groups who have announced the postponement of attacks on hospitals or laughably one group offering “discounts” on ransoms for such entities, most indications are that attacks are rising sharply. Hackers are opportunist and this pandemic creates all kinds of opportunities for malicious actors. Phishing scams are on the rise, using sensationalist headlines or offers of miracles cures which some people are sure to fall for. There’s also an increase of mimicking delivery companies since these are the services that people are using more during a crisis of this sort. You can expect hackers will also take advantage of overtaxed IT and security staff who may have their hands full supporting VPNs, video conferencing, and other technology for new work from home workers. 

Staff may be stretched further by illness or layoffs. In this environment, the normal security processes, such as patching and longer-term projects, may fall by the wayside. By informing employees of new attacks and methods, the blade can be dulled. And being diligent in keeping up your normal monitoring and auditing process is paramount at a time like this. Automating some of the monitoring on key accounts by using technology such as Privileged Access Management (PAM) or Vendor Privileged Access Management (VPAM) can assist greatly in keeping you vigilant with fewer resources. 

New insider threats

In these challenging times for companies, we have to consider that some employees or contractors who are let go during cost-cutting measures may turn to malicious activities either out of revenge or desperation for a new source of income. Their logins, especially privileged credentials, are worth a lot on the black market. They may be tempted to monetize them on the dark web or use them directly to steal data or cause other damage. 

For employees, most companies have pretty good processes for deactivating logins in a timely manner after a termination. However, vendors are much less policed and there is often a lag time between a vendor rep leaving the vendor company and that access being removed from customer systems. Because this removal is not real-time, it creates a window of opportunity for those credentials to be abused either by a malicious employee or a hacker who steals them via phishing or some other route. Federating authentication down to the vendor’s directories is a route to get near-real-time offboarding as well as using Single Sign On (SSO) systems so that only one credential needs to be removed. 

You may not be able to do all these things during such a widespread disaster, but even doing a few or just doing what you’re already doing a little better will make a difference. It could mean the opportunistic hackers pass your company by and look for a less secure company to victimize. Even in the face of adversity, we must remain vigilant. Download our brochure that highlights the importance of having a separate software platform specifically to manage vendors’ privileged access to systems, networks, and applications. 

close close