Today’s business is part of the digital and online world, no matter the industry. With the pandemic, this aspect just recently expanded to include the entire workforce, whether remote or hybrid. So, what does this mean for companies and cybersecurity?
It means a bigger number of risks because to use the digital and online world, a company must have tools and technology to conduct business. This also means there is an exchange of data over a network with the tools, technology, and platforms that are used.
These tools, technology and platform options can be connected to third-party vendors, which consequently means that there’s a data exchange over a network with external parties.
- When you conduct business with any of your digital tech and tools, such as computers, software, IoT devices, mobile devices, computers, servers, applications, cloud, host providers, and so on; you exchange information (data) and use a network.
- With a remote or hybrid workforce, the work environment you need to protect also grew.
So, how can you find out what your third-party partner’s cyber resilience is, so that you can address cyber risks or compliance requirement needs immediately?
We have four questions that you can ask your partners to determine their cyber resilience.
- What are your current standards for protecting customer data?
- With privacy laws such as the GPDR and the CCPA – future CPRA – you want to make sure that partner vendors you use meet compliance requirements to avoid fines. You must have the opportunity to recover the data that is exchanged, track it, and meet all the privacy law requirements. This will also involve the company’s backup strategy and policies, as well as if they conduct regular infection simulations and backup procedure testing to ensure their strategy is actually effective if they were attacked or their data held ransom by cyber criminals.
- Do you have true end-to-end security?
- Since cybercriminals are constantly finding new ways to attack a network, businesses must have endpoint security or better put, the extra layer of protection will help to avoid an easy breach. With your remote workers at home and your hybrid workforce exchanging information with work-from-home (WFH) team members, there is an absence of the company’s office end-to-end security set up. For this reason, you want to ensure all tools, tech, and platforms the company uses has endpoint security.
- Are your security policies consistent throughout departments and personnel?
- Even if you have endpoint security and check on privacy law and compliance regulations, you also want to work with partners that have a company culture around cybersecurity. This means that their security policies and procedures are the same for all personnel, across all departments. Standardized policies ensure that all groups work with the same types of access control settings and avoid abuse by cybercriminals of those settings that would be different and give them room to get in.
- Do you perform security audits regularly?
- Security audits help a business to assess what areas of their operations need attention. You conduct a penetration testing of internal and external systems, a review of one’s security policies and procedures, and find out what type of regular exercises are conducted to determine the efficacy of security measures were breach to happen. A company should conduct a security audit (also known as a security assessment) at least once a year, if not more. In addition to asking about their audits, ask about access to audit logs were a breach to happen and their crisis management PR statements because you will also be held accountable to report about the breach due to data privacy laws such as GDPR and CCPA.
- Security audits help a business to assess what areas of their operations need attention. You conduct a penetration testing of internal and external systems, a review of one’s security policies and procedures, and find out what type of regular exercises are conducted to determine the efficacy of security measures were breach to happen. A company should conduct a security audit (also known as a security assessment) at least once a year, if not more. In addition to asking about their audits, ask about access to audit logs were a breach to happen and their crisis management PR statements because you will also be held accountable to report about the breach due to data privacy laws such as GDPR and CCPA.
Now that you have these questions handy, you can move forward with your vendor risk management needs and assess where your partners stand with cyber resilience.
You can also pursue your next cyber resilience options with the CEO and/or security executive and IT team for additional measures you want to take right away with your remote and/or hybrid workforce.
If you need the support of a cybersecurity expert or if you want to consult with a fellow colleague to see how you can address important vendor risk management topics with the CEO and boardroom, schedule your free consultation here: https://calendly.com/ncxgroup
If you need a cybersecurity audit, feel free to reach out or start with our free cyber risk option: https://training.ncxgroup.com/free/#assessment
Photo courtesy of Mathias Rosenthal