5 Post-COVID Risk Management Considerations
As many organizations emerge from a world impacted by coronavirus (COVID-19) they will find themselves in a very different working landscape than we saw pre-Covid. Having moved their workforces to be completely remote, creating new ways of collaborating, communicating, and delivering during the pandemic we now have a unique situation where a ‘new normal’ has been established. Now that the national rollout of the vaccine has started reducing the impact of the coronavirus, a phase of re-assessment
Examining Your Cyber Risk in an almost Post COVID World
Which practices that were put in place during the pandemic will be retained and which are now unacceptably risky?
Are organizations right to have the same risk appetite for their own operational processes, and those of their vendors, that they were prepared to accept during the pandemic?
Here are 5 Risk Management Steps for any organization to consider as we emerge from the Pandemic.
1. Reassess Your Risks
Those new ways of working for your team, and those of your vendors, may have been acceptable to keep the supply chains running during the pandemic but are they still acceptable?
Moving the workforce to the home office significantly increased exposure to key points of vulnerability. Staff members were no longer working behind firewalls and the potential for failings in physical security outside of a central office. These Risks need to be re-assessed and evaluated.
Being proactive, re-assessing vendors and other potential risks will help protect your company’s data security posture.
2. Review Service Level Agreements (SLAs)
While a key threat can come from any vendor or supplier, it's critical to focus on the parties that have access to mission-critical information. A data breach of critical information, and in particular customer data, can ruin hard-fought reputations. Reviewing SLAs--the primary contractual agreement between an organization and its vendors--will help to understand how secure the organization’s information is.
When reviewing the SLAs, it's important to establish a thorough understanding and agreement on the following:
Level of authentication required to access networks
Processes of responding to and reporting potential threats and breaches
Location of access (remote working from a home office as opposed to a coffee shop)
If your organization accepts lower standards and processes from its vendors than it does its own internal processes is exposing itself to a high level of risk. If your organization has invested significantly in processes and software that protect its information but allows a vendor access without the same governance and control that investment will have been wasted. An SLA should also incorporate terms and conditions that allow organizations to terminate a vendor’s contract for security control weaknesses.
3. Understand How Encryption is Used
Encryption is a powerful tool when using many web applications that support a remote workforce. It reduces the risks associated with unstructured data and can prevent cybercriminals from gaining access to an organization's email service, direct messaging platform, or video conferencing platform.
Understanding how your vendors use encryption and how it matches with your organization's encryption processes and standards is key to reducing risk exposure. In re-establishing a strong vendor risk management program, as you revisit processes post-pandemic, a clear understanding of how vendors currently use encryption and where the gaps are is critical.
4. Set Application Security Policies, Processes & Procedures
Digital information sharing, sending documents or data packs via email and chat services, has been a key aspect of remote working during the pandemic. While your organization may have been forced to accept a significant increase in this during the pandemic as the workforce was forced into remote working to ‘flatten the curve’ this now may no longer be an acceptably risky way of working, particularly for critical information.
Assessing vendors working applications, processes, and procedures around this area may prevent a key threat. When attempting to mitigate vendor risk as part of your evolving threat management, you want to ensure that you know all of the applications used by your vendors, including:
Email services used
Direct messaging/Chat applications used
Video conferencing services used
Your organization may have a tight cybersecurity policy dictating which approved applications may be used for what purpose. Your vendors, however, may not have considered the use of these applications as risks and have lower standards. Poor application choices and safeguards create vulnerabilities and leave the organization exposed to cybercriminal threats. As recently as January 2020, a security vulnerability in Cisco Webex enabled unauthorized users to gain access to password-protected video conferencing calls.
5. Continuous Third Party Monitoring
Consider adopting a continuous third-party risk management platform as a way of constantly evolving your strategy. As we emerge from the pandemic, evolving risk management systems will be essential to staying competitive and diligent.
With our risk assessment solutions, you never need to worry about making the right choice for your business. You just need to get the job done.
Ready to take the smart approach to risk management? Get in touch today to learn more about how Privva can help.