Your employees are working from home for the foreseeable future, and company data is continually being shared across countless collaboration applications, personal devices, and unsecure internet connections. Employees who choose to work in public spaces that offer free Wi-Fi are at risk of exposing sensitive data.
Information Technology and Security teams have been spread thin for months, juggling new infrastructure installations and unprecedented number of troubleshooting requests. All the while, the third parties you trust with access to your systems and data (or the ones you may work with in the future) have likewise moved their operations to remote environments, using products you may or may not have properly vetted.
Throughout COVID-19 lockdowns, rapid and ongoing onboarding of third parties and their technologies to enable efficient remote work has exposed organizations to more risk than ever before. At the same time, trusted vendors are likewise onboarding more tools, further clouding visibility into the applications touching their network. The security risks of your third-party vendors become your risks as well, making it imperative to request that third parties communicate any large infrastructure changes to their environment to your organization.
Now that organizations have begun to adapt to the new work-from-home environment, which is likely to last into 2021, organizations need to revisit their approach to third-party risk management. At most organizations, risk management is often addressed in siloes, but the effects of the pandemic, and ongoing work-from-home conditions, have served as an example of the importance of an integrated approach to mitigating the risk of data exposure. Below is a checklist of activities upon which legal, compliance and IT teams can collaborate on to reduce third-party risk and begin working toward a holistic information governance program.
- Conduct a technical review of the third-party architecture. A serious and extensive assessment is the only way to truly get a handle on the many chinks in your third-parties’ armor. Leaders in IT and legal departments are often shocked by what they find in these assessments. Understanding ownership and access for each of the applications on the systems in your environment, and monitoring that continuously is critical. Evaluating for compliance with data privacy regulations must also be a part of the review process.
- Develop clear, concise policies that outline behaviors, partners, and applications that are explicitly approved and those that are prohibited. Once policies are solidified, launch a widespread campaign, including trainings, to the entire company to communicate changes and new expectations. Campaigns delivered with the support/sponsorship of executive leadership will have much more traction and credibility with employees.
- In addition to policy awareness, educate the workforce about the many privacy and security risks that have come to light around the use of popular collaboration and conferencing applications. Remind them that any devices—personal or employer issued—being used for work contain sensitive information and should not be used for non-work purposes.
- Leverage mobile device management tools and update company BYOD policies to ensure IT has the ability to remotely access devices and block prohibited applications. Most organizations already have BYOD policies and mobile device management systems in place, which will make this a somewhat easy lift. Evaluate policies to determine whether they need a refresh to adapt to today’s unique remote work circumstances and evolving data risk regulations.
Even sophisticated companies that dedicate ample resources to information governance often end up with gaps when it comes to third-party risk management. Now, as employees and third parties adopt new, unvetted applications to do their jobs from home, these gaps have become even greater. Organizations are under tremendous pressure right now—but making time to holistically assess and manage third parties will pay long-term dividends in reducing risk, while employees work remotely, and when they eventually return to the workplace.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.