Remote Work and the Implications of Third-Party Risk Management
At the initial stages of the coronavirus outbreak, the potential ramifications on both our personal and professional lives were not quite clear.
However, as the situation progressed, it became apparent that the effects would be far-reaching, including the rapid shift towards remote work for many organizations.
This transition resulted in a multitude of cybersecurity challenges that required attention, such as a lack of strategic support, employees utilizing personal devices, and an uptick in phishing attacks. Additionally, these concerns were echoed throughout the supply chain, where vendors faced similar security challenges.
As it becomes increasingly clear that remote working will be a prolonged reality for many organizations, it is important to consider the potential implications for your company.
The following are three key remote workforce challenges that should be considered in the risk management plan.
How to ensure secure remote access for third parties?
If your company is like the majority of others today, you frequently give contractors, vendors, and other people who aren't employees access to internal networks and systems. These privileged users use their own endpoint devices to manage their operating systems, databases, or applications remotely.
The issue is that your security team might not be very familiar with these people or the security procedures used by their organizations.
These users might not have been thoroughly screened, third parties might not have strict security guidelines, and credentials might not be well-protected. Due to these factors, privileged third-party accounts frequently pose the greatest risk to your company.
However, with the right information security procedures, you can help safeguard your company from third-party risk without completely cutting off your operation or impeding legal business operations.
Here are five best practices to ensure secure remote access for third parties.
1. Implement auxiliary procedures and controls that establish and enforce access regulations for privileged third parties
Business relationships can be formed and system access granted without your information security team's knowledge or approval. As a result, clear policies for defining and enforcing non-employee privileged user access must be included in contract negotiations and vendor onboarding procedures.
Once assessments and processes are in place, they must be enforced by the business units that are in charge of managing vendor relationships, onboarding and offboarding users, and responding to incident reports.
Every agreement with a third party must contain the following fundamental components:
References to the actual rules and regulations that a vendor agrees to uphold, such as background checks and training for staff members who have access to your company's computer systems.
Sanctions for non-compliance and corrective actions.
The availability of checks and balances to confirm compliance.
2. Authenticate users and protect privileged credentials with multi-factor authentication technology
It is common for a third party to lack the security maturity of bigger organizations, and credential management is one area where this is particularly true. Credentials for partners and vendors are frequently insufficient and open to accidental disclosure.
To protect credentials, actively managing and controlling them is key. Adding a second factor to the authentication process can help prevent the misuse of stolen credentials, as research shows that after a few phishing attempts the success rate is high.
Multi-factor authentication — Recent research indicates that after just five to seven phishing attempts, the success rate is almost 100%. Once an organization has been targeted, it only takes a short while for credentials to be stolen. The best way to stop the misuse of these stolen credentials is to include a second factor in the authentication process. There are a number of options for multi-factor authentication, including certificates, software or hardware-based tokens, and cellphone-based verification procedures.
Elimination of shared accounts — It's not unusual for a third party to ask for access to your systems using the same account that all of your employees use. Although this method is simpler administratively, your company faces a number of security challenges and vulnerabilities as a result. To begin with, shared accounts and multi-factor authentication are incompatible. Second, it is more difficult for you to regulate who has access to and uses shared credentials. As an illustration, if multiple people share a credential and one of them leaves, the remaining person will still have access to the systems until the credential is changed. Third, it becomes impossible to identify the specific user who carried out a particular action on the network. To avoid these issues, credentials should only be given to people, not to vendors.
Onboarding/Offboarding procedures — A new account is made for each person who joins a business partner's organization, and access is granted. When that person leaves the company or changes roles, that account and access must be canceled. Automated vendor reporting of staffing changes is advised to make sure that such actions are handled promptly.
Background checks and ID — Background checks and identity proofing of third-party persons accessing systems is recommended in highly sensitive environments. Because this can be costly and time-consuming, it is a risk management issue. In cases where third-party users have been proven to be non-existent, it may make sense to perform some level of identity proofing.
3. Separate access control from authentication to reduce visibility and possible harm
Most vendors require only limited access to specific systems. However, the typical network is not physically segmented, which would aid in access control.
As a result, if an attacker gains access, he or she will have visibility into a wide range of devices and systems.
Once inside, the attacker can look for vulnerabilities or additional credentials that can be used to gain more access at a higher level of privilege.
It is much simpler to spot anomalies when acceptable paths for external access to resources are established. You can contain unapproved protocols and route approved sessions to a predefined route using a privileged access management solution or VPN.
4. Implement policies in real time to stop unauthorized commands and errors
Sometimes it may be necessary for a third-party user to log into a system using a super user highly-privileged account for technical or administrative reasons. With such unrestricted access, that person has the potential to do serious harm, whether on purpose or by accident.
A better and more agreeable method is to enable fine-grained permission controls by using a privileged access management solution.
You can enable someone to have sessions brokered to various target systems on their behalf using a number of different accounts, each with a different level of access privileges, by using a privileged access management system.
5. Monitor activity and look into suspicious events to detect breaches, improve training, and fine-tune automation and processes
It’s necessary to monitor system access in order to enforce established policies. Depending on your risk and compliance management considerations, you may need to monitor at a particular level and in a particular area.
Even in low-risk environments, keeping track of a user's activity through logging and monitoring can help you spot suspicious activity and look into the specifics to uncover intent.
A violation could be a straightforward error, or it could be a sign of malicious behavior. By keeping a simple log of a user's activity, such as the times they logged on and off, the systems they accessed, the commands they issued, and the responses they received, you can spot inappropriate or unauthorized activity and identify other users who require more training.
How to conduct risk assessments remotely?
Conducting risk assessments remotely typically involves the following steps:
Figure out the extent of the evaluation: You must first set clear boundaries and decide which assets, systems, and processes will be included in the assessment.
Amass information about the resources, infrastructure, and operations that will be part of the evaluation. Hardware and software details, network setups, security settings, and incident response procedures could all fall under this category.
Vulnerabilities should be found by analyzing the gathered data for weak spots and other sources of danger. Among the things that could be found are broken configurations, obsolete programs, and security flaws.
Find out how probable risks are and what damage they could cause to your company.
Identify the most pressing threats based on their likelihood and potential impact.
Construct advice for reducing or eliminating the risks that have been identified. New security controls, updated software, and updated policies and procedures are all examples of what might fall under this category.
Inform the relevant parties of the evaluation's findings and any subsequent recommendations for action.
Keep an eye out for new threats to the company and revisit the risk assessment on a regular basis to keep it up-to-date and useful.
Assessment teams and organization employees may need to work together more closely and utilize remote access tools and collaboration software to gather and share data in order to conduct a successful risk assessment when it is performed remotely.
How do you monitor third parties when you cannot visit their offices physically?
Reviewing documentation, conducting remote assessments, monitoring and reporting, communicating and collaborating, and reviewing incident response plans are all essential components of an all-encompassing strategy for monitoring third parties when in-person visits to their offices are not feasible.
The first step in assessing a third party's security and finding any holes in it is to read and understand the documentation they provide. Some of the things that could be checked are their security policies and procedures, their incident response plans, and their compliance certifications.
The next step is to conduct remote assessments utilizing various tools and methodologies to gain insight into the third party's security measures.
Mechanisms for monitoring and reporting on the third party's compliance with your organization's security policies and procedures are also essential. There are a variety of methods that can be used to ensure the safety of the third party's infrastructure, such as reporting security incidents, checking logs, and constant monitoring.
Maintaining open lines of communication and working together with the third party is crucial for learning about their security measures and addressing any concerns that may arise. This could involve getting together on a regular basis, either in person or via email or online conferencing software.
Last but not least, you should check the third party's incident response plan to make sure it covers all potential scenarios, is consistent with your own, and that the company has the resources to implement them.
Effective Third Party Risk Management (TPRM) necessitates monitoring emerging trends and identifying evolving risks. The dynamic nature of business operations presents a range of challenges for risk management professionals, who must remain vigilant in identifying potential risks.
While understanding the specific risks faced by an organization is a crucial initial step in risk management, it shouldn’t be the only consideration. Developing a comprehensive risk management plan that accounts for the security challenges associated with the current operating environment is essential for ensuring the organization's protection.