The Right Questions to Ask Your Vendors in Times of Large-Scale Remote Working
By Elad Shapira, Head of Security, Panorays
In the wake of coronavirus, companies are now applying immediate work-from-home policies. This sudden and massive change poses a set of new cybersecurity risks and is forcing security teams to take immediate action.
One of these cybersecurity risks emanates from the supply chain. While a large company may be able to quickly undergo the transition from a relatively concentrated workforce to a large-scale remote workforce, its supply chain partners may not.
In an effort to ensure the cyber resilience of the supply chain during these turbulent times, Panorays has readily made available the related vendor evaluation criteria, broken down to 18 questions. Companies are welcome to use these questions to assess their vendors’ preparedness for work from home.
- Do you already have remote work practices and policies?
- How many of your employees already have remote work capabilities?
- How much of your day-to-day activity is suitable for remote working today?
- What is your remote access mechanism?
- Which client devices are allowed to access your digital assets remotely?
Authentication and Authorization
- Do you enforce 2FA for employees with remote work capabilities?
- Do you enforce strong passwords for all employees with remote work capabilities?
Resilience and Business Continuity
- Is your network structured to support remote access for all of your employees?
- Do you expect operational problems or negative impact to your service due to remote access?
- Do you expect the pre-agreed SLA might be breached?
- Do you backup regularly and require your employees to use and save files only on company-related places (such as internal Google Drive or dedicated services)?
- Do you have redundant inbound connectivity for your facilities / internal systems?
Procedure and Processes
- Do you train your employees with dedicated security awareness for working in public places such as coffee shops or restaurants? In particular, are they instructed to leave the end point station locked and verify use of a secure Wi-Fi network such as by using an employee’s mobile phone?
- Did you train your employees with respect to the above procedures / processes before allowing remote working?
- Do you have clear procedures / processes / controls in place for verifying the authenticity of communications (email, phone, IM) with respect to activities such as fund transfers, account creation, account reset, etc.?
- Do you have a security solution protecting the end point stations (anti virus, EDR etc)?
- Do you have tools or procedures to support remote patch management for your servers, services and end-points?
- Do you have a secure manner of communication between employees working remotely?
These questions will help companies assess the cybersecurity risk emanating from their suppliers that have adopted work-from-home practices. It’s important to note that considering the sudden shift in business behavior, the regular spreadsheet evaluation process will not work, considering the time and human effort it requires. As such, automation of the process is essential. Doing so will allow companies to easily add questions without the need to resend the full questionnaire, track progress, measure and quickly calculate risk levels. Most of all, it will allow companies to quickly and easily scale this process to ensure their security policy is enforced throughout the supply chain.
Meet the Author: Elad Shapira, Head of Security, Panorays
Elad brings to Panorays extensive cybersecurity knowledge across all levels, from reversing and low-level hacking to Web application and social engineering.
At Panorays, Elad and his team are responsible for mimicking hacker behavior by researching new attack techniques and vectors in order to automatically test the security posture of companies en masse. Elad is a recognized speaker, having presented at various hacking conferences such as BlueHat IL, ReCon and Defcon meetups. Prior to Panorays, Elad was the Mobile Security Research Team Leader at AVG Technologies.