How to tackle potential third-party security threats as employees return to the office
At the height of the pandemic, many companies had adjusted to a new normal of remote working. To get there, organizations were forced to quickly embrace digital transformation to ensure minimal disruption to business operations in order to survive the pandemic. Yet doing so presented many cybersecurity challenges.
For example, we saw the security dangers that surrounded the popular video conferencing service Zoom. While this platform made working from home a lot easier, it gave attackers an opportunity to remotely take over a device by exploiting a critical vulnerability. In addition, increased phishing and ransomware attacks kept security teams working around the clock, often with limited resources, to keep systems running while ensuring security best practices were being followed.
Now, employees are starting to filter back to the office. While aFebruary poll found that the majority of Americans were still working remotely, that is starting to change. We are seeing state governments slowly lifting curfews and restrictions, signaling the start of a return to normalcy. For some employers, welcoming the workforce back to the office in a safe and orderly manner is now, at last, becoming a reality. Yet surprisingly, getting back to normal also presents a certain amount of cybersecurity risk.
Back-to-Office Security Threats
What issues might organizations face as their employees return to the office? Here are some issues to consider:
- While working remotely, many employees were able to use office-issued devices, which helped ensure minimal disruption and continued productivity. Yet since employees often use these devices for non-office purposes, they might have unwittingly interacted with unsafe software, such as children’s games or schooling apps that could contain malware. Typically, VPNs and corporate security gateways provide a layer of protection between these potentially compromised devices and the corporate resources, as well as other corporate workstations. With a return to the office, these less-secure laptops are now being introduced back into the company network without any isolation, creating a serious risk of internal spread and lateral movement.
- With so many depending heavily on their laptops as their sole connection to work, employees may have been reluctant to apply patches to software at home. The reason? They may not have wanted to risk the possibility of a patch causing more problems than it fixed. Without ready access to an IT team that might be able to assist, workers may have opted to delay the patches until returning to the office. Clearly, when all these computers are being reintroduced directly into the corporate network, the risk of intrusion rises sharply. Moreover, it’s likely that the computers left gathering dust in the office have remained unpatched as well, just waiting for people to start using them again and risking remote compromise.
- Returning to the office after such a long period of time requires a certain amount of settling in. Employees can be preoccupied with searching for equipment for their workstations, regaining access permissions and so on, meaning that they have less time to think about cybersecurity and are more susceptible to falling prey to social engineering schemes. At the same time, IT and security teams can be swamped with support issues and anomalies because of the significant change in the workplace. They will likely have a hard time noticing anything unusual, making such companies a much better target.
Third-Party Security Threats
Organizations must also keep in mind that the same issues that they are facing as employees return to work are now being faced by the third-party vendors that they employ, who are also welcoming employees back. This supply chain threat is even greater, simply because businesses often lack adequate visibility into their vendors’ security practices. In fact, research has shown that a lack of visibility into security risk is a critical reason why we are seeing a rise in third-party breaches. Cybercriminals have taken advantage of this and will often target the vendors of larger companies as an easy way to access corporate systems. This can have serious ramifications for businesses, which can face hefty regulatory penalties if their sensitive data is breached via a third party, as well as a loss of customer trust.
For these reasons, it’s more important than ever for organizations to adequately assess their third parties while also considering the back-to-office threats they might now face. It’s imperative to know whether your vendors are aligned with your company’s security controls, compliance regulations and risk appetite. The bottom line is: if your third party does not take security as seriously as you, you’ve given cybercriminals an easy avenue to exploit your organization.
Assessing Third-Party Security
To combat the increase in third-party threats, companies need to evaluate the security posture of their third parties to identify and remediate security gaps. Here are some important steps to consider when incorporating third-party security into the overall security strategy:
● Map all suppliers to understand their relationship to the business, the data they access, and the processes involved. This evaluation can identify the third parties that collect, store and process sensitive information.
● Categorize the vendors by their criticality to the business, since some suppliers may have a more significant partnership with the business in terms of technology or their impact on a regulatory level. As an example, one supplier may process financial data while another could be a supplier of copy paper with no access to corporate systems.
● Evaluate vendors using both customized automated security questionnaires and comprehensive attack surface assessments. Having a combination of both will allow you to detect back-to-office issues such as unpatched software while asking the right questions about, for example, security awareness training.
● Create remediation timelines to close any third-party cyber gaps that are detected, and work closely with vendors to ensure that they do.
● Monitor third parties on a continuous basis. If there are any alerts flagged, act upon them immediately to prevent or mitigate data breaches or minimize the impact on regulatory compliance.
Obtaining such visibility may be achievable for companies that have a small number of suppliers, but for most, gaining insight and control over hundreds, if not thousands of suppliers, can be a considerable obstacle. That’s why it’s vitally important for organizations to use an automated solution that can scale easily. A transparent and accurate view of security risk will enable companies to collaborate and remediate any security gaps discovered with suppliers as employees filter back into the office environment.