As organizations across the U.S. become accustomed to remote work arrangements due to COVID-19, many are taking appropriate precautions to monitor and address the added and increased cyber-risks associated with this increased reliance on technology.
Still, while employers may be exercising appropriate diligence with respect to their own operations, they could be overlooking similarly heightened cyber risks associated with their vendors and trading partners.
When it comes to guarding against cyber threats, any organization is only as strong as its weakest link. Here are five tips for employers to assess and manage potential cyber threats from vendor relationships and trading partners.
- Recognize small businesses may be big targets. That’s how cyber-criminals see it. The disparity in security investment between large enterprises and small businesses has not gone unnoticed by cyber criminals, who have turned their attention increasingly to these easier targets. The predominant strategy for hacking a larger business has followed suit: Want to infiltrate a large target? Hack one of their smaller partners first. Unfortunately, even large organizations with seemingly “bullet-proof” cyber protections may fall victim to smaller vendors or trading partners with less secure or inadequate cyber risk management.
- Watch COVID-19 related changes to your vendor business models. Over the years, effective cyber risk management has been largely a function of organizations’ ability to manage user behavior. Your business may be managing that exposure well, but your vendors probably are not—especially in light of adjustments businesses have made to maintain operations during COVID-19. With more staff working remotely, some businesses haven’t been rigorous about enforcing cyber security protocols and maintaining best practices. Get assurance from business partners not only that they’ve taken appropriate measures to address cyber risks of remote workers, but that they can also demonstrate how they are monitoring worker compliance.
- Think holistically about your enterprise. Effective cyber risk management simply cannot exist without recognizing that vendors and contractors are part of the attack surface. Think of the basic practices that work to keep your business safe: those are what your small partners need. In addition to reviewing any cyber-related requirements stipulated in your contracts with vendors, get confirmation from your partners about their inbox protection measures, browser controls, vulnerability assessment, employee security training, and cyber insurance coverage.
- Don’t settle for excuses. In the past, robust cyber-risk solutions simply weren’t practical for most small businesses. That’s no longer the case. Today, many of the more sophisticated cyber risk management solutions widely implemented by larger businesses have been introduced for smaller enterprises at an affordable cost. The new approaches come without the need for internal IT or external consultants to install and maintain the software-based tools and resources. Besides inbox protection and browser controls, they include modules for continuous employee testing and training and special features to track successful completion.
- Check costs of supporting key vendor partners. To make sure critical vendors and trading partners have adequate cyber loss prevention, response and insurance, consider offering to assume or share the costs of these services. It’s a way to ensure your partners are adequately protected, as well as to safeguard your enterprise from vendor-related vulnerabilities. Further, many cyber-risk management providers now offer cost-effective end-to-end solutions that can be extended to vendors and key trading partners.
Taking steps to address the weakest link in various cybersecurity chains will help businesses strengthen their protection in an environment where cyber-crime is rapidly on the rise.
Riley is director of insurance at Paladin Cyber.