Companies have offered flexible schedules and have allowed employees to work from home (to varying degrees) for years. The trend to work from home has been on the rise over the past decade, but the recent threat of COVID-19 has forced many companies to move completely to a remote workforce. This raises all sorts of logistical and security issues, especially for companies that didn’t previously have formal Work from Home (WFH) policies in place.
How will this shift to remote work impact your business? Specifically, how might it change the way your organization manages its third-party vendor relationships? Let’s take a look at some common risks you should be aware of, and how you might want to consider updating your organization’s Vendor Management Program to be prepared for this organizational and cultural change.
Vendor risks to be aware of
This list of potential risks associated with remote work is not by any means exhaustive. It’s also important to note that these risks were applicable before the outbreak of COVID-19, but they are certainly front and center now that the vast majority of businesses are requiring their employees to work from home for the foreseeable future.
- Blurred lines between personal & corporate use of devices – Were your vendor’s remote workers prepared for the sudden shift to working from home? Or, were they unable to bring corporate devices home with them (i.e. a stationary desktop) and are now forced to user personal devices to conduct business? The introduction of personal devices could cause some trouble for IT teams (various types/versions of operating systems used by employees, inconsistent security patches, no way to control devices, etc.)
- Collection and/or storage of non-public information (NPI) – Are you vendor’s remote workers collecting NPI through secure means, or has the shift to working from home tempted them to collect NPI in other ways (i.e. through the use of personal cell phones or other devices, through unsecure email correspondence, etc.)?
- Access to corporate network (or lack of access) – Are the proper security protocols in place to allow for remote connection to the company network? Is the appropriate infrastructure in place to even provide remote access to the corporate network, or are employees left without a connection?
- Lack of Policies and Training – Does your vendor have a formal work from home policy for their remote workers to follow? Has security awareness training been provided to staff, especially with the rise of email phishing scams being a major source of concern?
- Impact on service levels – Will a sudden shift to remote work impact any service level agreements (SLAs) or other performance metrics? Do remote workers have acceptable home internet connections, devices and ancillary equipment (i.e. headsets for clear audio, camera to allow for video meetings, etc.) to continue conducting business without any disruptions?
- Unsecure home (or public) internet – Do your vendor’s remote workers have strong passwords for their internet routers? Are home networks using the proper encryption? Is the firmware of home routers up to date?
What does this mean for your vendor management program?
As the number of companies enforcing work from home policies continues to increase in the near-term, and since the shift to a fully (or partial) remote workforce may be a trend that’s here to stay even after COVID-19 is eradicated, here are some ideas you might want to consider with regard to how your business manages its third-party vendor relationships.
- Send an emergency questionnaire – If you didn’t previously ask your vendors about their remote work practices during your due diligence or ongoing monitoring process, now would be a good time to do so. To start, you might want to consider focusing only on your organization’s most critical vendor relationships.
- Prepare business continuity plans with your most critical vendors – If your Vendor Management Program doesn’t require it already, it is a good idea to have business continuity/contingency plans in place with your vendors. As a best practice, your organization should focus on developing business continuity plans with your most critical vendors.
- Update due diligence questionnaires – Coordinate with internal stakeholders, particularly information security and business continuity staff, to ensure that the right questions are being asked on your vendor due diligence questionnaires. Be sure to ask about your vendor’s network (and how remote workers access it), policies/procedures on remote working, security awareness training, and impacts of remote work on day-to-day performance and business continuity.
- Incorporate remote work into your inherent risk assessment – When conducting vendor risk assessments, consider asking about remote work. Is a vendor with a 100% remote workforce inherently riskier than a vendor who does not allow remote work?
- Look into ongoing monitoring software – Point in time monitoring (such as periodic due diligence assessments) are certainly useful, but the information collected becomes stale. If you only assess your vendors every year, or every other year, what about the time in between assessments? Software solutions, such as the platform offered by our partner Argos Risk, provide continuous, timely and comprehensive third-party risk intelligence.
In this new era of working from home, make sure you think about the risks that remote work may expose your organization to, as well as the appropriate updates or additions you might need to make to your Vendor Management Program.