Originally published in Morning Consult
By Allan Matheson
It’s been a tough and stressful couple of weeks, but as chief information officer you’ve finally got everyone in your company’s global workforce working from home.
Time to relax a little, right? Maybe not.
Your company’s direct employees may be working securely with company-issued laptops and virtual private networks, but what about the staff of third-party providers with whom you’ve partnered? Often they’ll have access to sensitive company data. That’s fine under normal circumstances when they’re working on secure computers at the office, but when they’re suddenly sent home without much planning or preparation – which is happening a lot right now – it’s a different story.
Often there aren’t enough laptops to send home with every employee, meaning many of them will be switching to their personal laptops or desktop computers. That creates some potentially big security liabilities.
Take what’s happening in the Philippines as a result of coronavirus, for example. The government has told all workers to stay home, including the tens of thousands who work at third-party call-centers. This has all come at a time when the functions provided by many of those call centers are in particularly high demand. As those workers shift to home, what sort of protocols are in place to make sure that any sensitive data they have is protected?
Many of them may now be working from their kitchens or bedrooms on personal computers that are infested with malware, spyware and other security vulnerabilities that could easily result in the theft or corruption of data. Malicious software can lay dormant on personal computers for years until a bad actor decides it’s a prime time to activate it.
Each company will face different vulnerabilities depending on the type of third party and data they have. The type of data vulnerable in these conditions can range from company payroll information to customer credit card numbers to application code. In reality, though, protocols around customer personal information tend to be pretty ingrained and strong. The bigger vulnerabilities may be medium-criticality areas that haven’t gotten as much attention, and which employees who do not typically work from home have access to. One example could be application coding operations that are outsourced to a foreign provider.
Third-party security risks aren’t just an abstract concept – they result in embarrassing and costly scandals for companies all the time. Third-party breaches account for over half of all data breaches in the U.S at an average cost of $7.5 million. Last year’s breach of Quest Diagnostic’s data on around 12 million patients, for example, occurred when a hacker gained access through a third-party billing collections vendor.
There are some fairly simple solutions that can help reduce work-from-home vulnerabilities for third parties. The best one is to get them company laptops that have proper security and oversight.
Of course, given the speed with which many companies have had to enable work from home for their entire workforce, rather than just segments, this tactic has not been as widely used as IT security professionals might desire. Failing that, there are options that allow remote computers to access systems through a secure service. Amazon Web Services, for instance, provides a cloud-based secure home working solution for companies. These types of services offer more control and ease of administration, including specific data access rights, compared to VPNs which can be clunky to roll out and difficult to use. Tools like Microsoft Teams and Slack also have built-in protocols that create a more secure environment including Multi-Factor Authentication capabilities.
But what the problem really demands is for CIOs to have a much more open window into agreements and arrangements with third parties.
Often the IT department is only brought in at the end of a new third-party relationship to run a review on the third party and to ask them what data they’ll be handling. That question should actually be directed the other way – it’s your own company that needs to explain what data they’ll be sharing.
The other disconnect that emerges between IT and the rest of the business is when the data-sharing relationship with a third party evolves over time. Perhaps the partnership started without much sensitive data being shared but became more involved over time without anyone telling IT. Suddenly the third party has access to sensitive employee payroll and health information without any additional protocols having been put in place. Any new work order should trigger an IT security review if it has the potential to change data security, ongoing global pandemic or not.
IT departments should also be asking questions of third-party providers that go beyond just checking the usual boxes and getting verbal reassurances. You may have some protocols in place with a third party, but how do those stand up under the sudden work-from-home environment enforced by COVID-19?
By thinking about these types of process changes and giving CIOs a bigger seat at the table in third-party arrangements, companies will be able to better navigate the current crisis and boost their defenses against security breaches over the long term.
Allan Matheson is the CEO of Blue Umbrella.