[co-author: Andy Sawyer]
When the pandemic hit, companies across the country and beyond scrambled their workforces to work from home. No doubt, the IT and cyber security teams for companies were overwhelmed, some more than others, to address the new operational and security risks from this tectonic shift. The reality is likely that some companies were unprepared for this shift, but had little choice. Companies are now settling into a new normal, ranging from back to the office to stay remote and models in between. It is time for companies to revisit the cybersecurity requirements for their third-party service providers having access to sensitive information, both personally identifiable information (PII) and non-PII.
The pandemic pointed out the deficiencies, and obsolescence, of the perimeter security model that has been a cybersecurity bedrock for decades. Perimeter security emphasizes barriers and protections at the borders of a corporate network providing protection for internal systems and data. Companies built strong defenses insulating the corporate village and crown jewels. Then everyone went home.
The pandemic distributed the work force, and the business environment, far beyond the borders of the corporate network. The result was a much broader attack surface for organizations to protect.
The deficiencies of the perimeter security model were known before the pandemic. The pandemic has accelerated the move from perimeter defense to the adoption of the identity-centric focus of a Zero Trust security model.
Zero Trust assumes that all networks (internal and external), devices, servers, identities, applications are potentially hostile or compromised and required continual verification. Identity authentication, authorization, access and audit must be a continual process.
The digital workplace of today is a hybrid of internal systems behind firewalls and cloud-based services with shared security responsibilities. Leveraging cloud-based servers and storage infrastructure as a service (IaaS) and application like Zoom, Microsoft Teams, Microsoft 365 software as a service (SaaS) offers potential improvements in business operations, productivity, agility, innovation and profitability. Realizing these benefits requires a focus on identity security. Cybersecurity programs must enable, not hinder, corporate digital adoption and transformation.
Many pre-pandemic security exhibits addressed System and Organization Controls (SOC) reports, SOC 1 and/or SOC 2 reports. Many also specified particular elements of the security program. It remains appropriate to permit the company some type of inspection or verification right relating to the supplier’s implementation and compliance with the security program requirements. As the workforce shifted, and now remains, to varying degrees, in a remote workplace model, it is time to evaluate these and other aspects that third-party service providers should maintain. Below are identified some of the topics that should be considered to expressly include in an updated security exhibit for third-party service providers.
The cybersecurity program should expressly address the policies and procedures to protect the security of information and systems that are accessed by the supplier’s remote workers, such that the safeguards stated elsewhere in the security exhibit, such as multi-factor authentication (MFA), encryption and dual controls, are not diminished. This should include: limiting remote access solely through virtual private networks (VPN), Single Sign-On or other protected means; device hardware standards; malware protection software; advanced endpoint protection; and appropriate measures to prevent printing locally or saving data on local devices. Computers and devices used by remote works must be assumed to be compromised. Device health (anti-virus software, version and patch status), reputation, and geolocation must be assessed before access to corporate data and applications is granted. The enhanced program should address data backups. If there are workers who need to use paper records at home, how these workers provide secure containers and shredders should be addressed. The definition of “data incident” should be re-evaluated as well, to ensure it covers incidents at the remote workers’ homes.
The new normal includes more remote workers. The hackers know this and where the vulnerabilities are. A company’s updated cyber security program, including its third-party service provider requirements, should as well.