Third-Party Risk Challenges in Work-From-Home Environments

May 11, 2021

Partner Blog


  • COVID led to dramatic increases in cyber attacks against businesses.
  • Many such attacks targeted third-party vendors.
  • In this guest post, CyberGRX examines these attack vectors and offers helpful advice on securing your third-party relationships.


COVID-19 completely changed the way organizations conduct business. We’ve all had to adapt to a remote work environment, and this can lead to more — and more targeted — cyber attacks.


Over the last year, the FBI saw a 400% spike in cybercrime while ESET reported a 768% increase in remote desktop protocol attacks. One of the attack methods seeing the biggest increase is phishing attempts, where cyber criminals trick people into clicking email links or downloading attachments that include computer viruses such as ransomware. In fact, Barracuda Networks reports a 667% increase in this attack vector alone.


Phishing is effective in part because it targets individuals, but it isn’t necessarily the most efficient way to access private information. Hackers have come to realize that targeting third-party service providers can have a rippling — and crippling — effect on organizations around the globe.


Recent data shows 53% of data breaches are linked to third parties and that the average organization uses nearly 6,000 third parties in the course of doing business. While companies control their own cybersecurity practices, they don’t necessarily have a say in vendor cybersecurity practices, despite the fact that they’d be directly affected if a cyber attack were to take place.


So, what are some common third-party weak spots and what can enterprises do to strengthen their defenses?


Challenge: business continuity. Business continuity planning is being tested on a global scale for organizations in all industries, and one of the biggest challenges is the need for employees to work from home. With offices closed, many employees transitioned to 100% remote work. For prepared enterprises, supply chain impacts were minimized. Less agile companies are still reeling.


Solution: Risk assessments can address continuity concerns with regard to third parties. Enterprises and third-party vendors can collaborate on a business impact assessment to determine how people, processes and technology are affected if something catastrophic (like a global pandemic) happens. Business continuity plans can be developed or tested to determine the strengths and weaknesses in a third party’s security plan, and infosec teams can gain insights into where to focus their mitigation efforts. Furthermore, a recent study by McKinsey showed that 20 to 25 percent of the workforces surveyed can continue to work from home between three and five days a week. This figure is four to five times higher than before the pandemic and shows remote work is here to stay for many organizations, so having a strong business continuity plan in place is more important than ever.


Challenge: a shift to teleconferencing. One of the first things companies did when the pandemic began was move all interactions online. Video calls and web conferences help keep participants safe from the virus, but they open organizations up to additional risks like computer viruses and other cyberthreats.


Web conferencing applications like GoToMeeting, Skype for Business, Zoom and Google Hangouts generally employ security measures like encryption, but they have weaknesses that can be exploited. In fact, the FBI published a list of potential vulnerabilities, along with some do's and don’ts in connection with attacks on remote work applications.


Solution: Including questions about teleconferencing services in security assessments helps companies determine whether their vendors’ video conferencing services abide by strict security standards. As is the case with most applications, some meeting-specific apps are only as safe as the people who use them. Always be diligent when it comes to knowing the risk posed by third-party vendors you employ. As companies start engaging in face-to-face meetings again, consider prioritizing which meetings can be conducted in person and which should be hosted via teleconferencing. Reducing web conferencing time can go a long way to minimizing cyber risk.


Challenge: increased shadow IT. COVID-19 brought with it time and task management challenges many organizations had never experienced. Employees downloaded tools to help them work more efficiently, causing security headaches for IT teams everywhere. Shadow IT — software, apps and systems being used without the knowledge of an organization’s leaders or the information technology department — are a target-rich environment for hackers. Even though many organizations around the world are returning to offices, employees have developed new work practices, so the use of shadow IT is likely to persist.


Solution: Visibility is key in mitigating the shadow IT problem. After identifying all the third parties being used by your organization, you can then determine which pose the most risk and cue them up for assessment. Well-prepared third-party vendors will have an established governance plan and policy, along with a process for educating users about the risks that come with shadow IT.


Shadow IT can’t be completely eliminated, so you should be proactive in ensuring the security of your company. Set a regular schedule to audit and assess your vendors.


A plethora of lessons have been learned — many the hard way — since the pandemic changed the world in previously unimaginable ways. But proactively working with your third parties on risk assessment and management can help prevent cyber criminals from exploiting these vulnerabilities.

David Stapleton
Chief Information Security Officer | CyberGRX
David Stapleton is a cybersecurity risk professional with over a decade of experience in both the public and private sectors. David began his career at the Department of Health and Human Services (HHS), where he developed and managed Risk & Compliance functions for the Food and Drug Administration (FDA) and Indian Health Service (IHS). David is a Certified Information Systems Security Professional (CISSP).