How to ensure vendor security in a hybrid working environment

vendor security in a hybrid working environment

The pandemic has seen our lives shift from the office to home, bringing new nightmares for IT security heads. The work-from-home culture has created new challenges for businesses as they see their attack surface expand and their cybersecurity needs intensify. How do you ensure your vendor security in a hybrid working environment is still intact?

According to the World Economic Forum’s Global Risk Report, in 2020, cybercrime doubled as the pandemic hit and opened the door for new security threats. As the world adapts to this new hybrid working model, let’s take a closer look at what security measures organisations should take to protect themselves against new and sophisticated cyber threats. 

Personal networks and personal computers 

The top remote working risks are no doubt insecure home networks and personal computers. These personal networks not only pose a great risk to a company’s assets, but can also leave personal information wide open to attack. While firewalls and sophisticated cybersecurity measures are usually in place at the office, it’s a different story at home, where networks are usually unprotected.   

IT departments can monitor network traffic and block malicious activity within the office, but that control is lost once people are confined to a home office environment. Unpatched personal computers can harbour many vulnerabilities in browsers and OS, with some product versions on end-of-life support. This creates a feeding ground for malicious actors to exploit OS and browser weaknesses during their attacks, including a new Russian malware which can infect home networks by targeting those using VPNs.  

Providing employees with work computers which have internal company security measures installed is one way of getting around the problem. Few consider how Wi-Fi networks could jeopardise the security of corporate data. From home routers to surveillance cameras, many types of IoT devices are usually not patched remotely which can cause updates to be overlooked and security measures to be lacking.  

In recent times, personal home devices have become a target for hackers and botnets. Unprotected network ports, trojans, and malware spread by spam, can lead to corporate data breach risks. To counter these threats, organisations should provide remote workers with company computers having pre-installed security software which takes into account personal devices and family networks. 

Zero-trust security  

The shift to a remote or hybrid work concept, the adoption of cloud computing and ‘bring your own devices’ (BYOD) have widened companies’ attack surfaces. This zero-trust concept is seeing organisations shift away from the notion of perimeter security. Companies are now adopting the principle of zero-trust security to shift access controls from the network perimeter to individual users through device-based and user authentication.

Zero-trust has become an umbrella term used for controlling access to company resources by eliminating trust. The resource-based model eliminates the default belief that everything should be trusted, which puts a greater emphasis on dispersed security measures. Here are a few measures that fall into the category:

  • Multi-factor authentication (MFA) 
  • Least privilege access 
  • Micro-segmentation of networks 
  • Distributed user & device identity management 

Patch management 

Breaches involving unpatched vulnerabilities, or even those that occur when a patch is available but not applied, have increased ten-fold over recent years. Whether it involves company assets or a remote worker’s computer, unpatched vulnerabilities are often the main and initial point of entry in most cyberattacks. For most enterprises, software vulnerabilities are the most common ransomware attack vectors.

Hundreds of vulnerabilities are detected and published each month which causes new headaches for IT security teams. With the sheer number of CVE codes, patches, severities and workarounds, IT departments have become overwhelmed and often miss critical updates. A lack of risk prioritisation often leads to inadequate resource management which can also cause significant problems within businesses.
 
Security teams are finding themselves in the position where they cannot prioritise risk which can lead to difficulty addressing vulnerabilities and within critical time. Manual patch management is insufficient for most secure systems, and therefore, best practices and automation should be applied to boost security measures.

Take humans into account 

Remote workers rely on video or audio calls, group messaging or app-based management systems to communicate with coworkers. This not only leaves the home network wide open but can also increase the probability of phishing attacks. Vishing attacks can see phone calls, seemingly coming from an organisation’s IT department, and custom phishing sites steal VPN credentials from workers. Humans beware!

A scammer who poses as a corporate IT staff member could easily trick a worker into providing them with credentials to enter a network. Fake LinkedIn or other social media accounts are set up by scammers to trick workers into thinking they are part of the company, and should have access to their credentials to “protect” (or access) the network. The more sophisticated cybercriminals combine these attacks with SIM swapping to bypass multi-factor authentication.

Organisations must educate their employees so that they not only understand the threat of phishing or vishing attacks, but also what dangers lurk beneath home and personal devices. An effective cybersecurity program requires full visibility into your company’s cyber ecosystem, which includes both on-site and at-home networks.

How RiskXchange can help  

RiskXchange is one of the firms leading the fight against cybercrime, coming up with novel solutions to everyday problems experienced at the hands of hackers. 

With full visibility over your ecosystem’s entire attack surface in near real-time, you can regularly monitor and mitigate risks to prevent unnecessary exposures. Our passive data collection methods are effective and have no impact on your network performance. Using data-driven insights to prevent breaches is the best way to reduce an attack surface and prevent cyberattacks. 

About RiskXchange 

RiskXchange provides a powerful AI-assisted, yet simple automated and centralised 360-degree cybersecurity risk rating management approach. We generate objective and quantitative reporting on a company’s cyber security risk and performance, which enables organisations with evolving business requirements to conduct business securely in today’s open and collaborative digital world.  

RiskXchange is an information security technology company, which helps companies of all sizes fight the threat of cyber threats by providing instant risk ratings for any company across the globe. RiskXchange was founded and is led by recognised experts within the security industry, who have held leading roles within companies such as IBM Security.  

Find out more here