The shift to remote working has brought about many changes to how businesses approach security but a big hole that needs addressing is keeping third-parties in check.
“Third-party risk is huge now and is probably one of the biggest threats within organisations,” said Eoin Goulding, CEO of Integrity360. “For a lot of situations we’ve come across with real-time incident responses, a third-party has caused the incident, not so much the customer.”
Nowadays, it’s highly likely that a company is relying on third-parties to run certain aspects, if not all, of your organisation. While most organisations have focused on getting their own staff working remotely, it’s easy to forget that third-parties companies are experiencing the same thing.
Goulding describes how this has caught out companies due to third-party providers working remotely, leading to data compliance and data protection issues.
It’s something that has happened more frequently since Covid-19 lockdown began, the shift from office to home leading to certain elements being overlooked by third-party companies.
“That has happened a lot more since Covid because they’ve set up remote working but due to misconfiguration, they haven’t properly secured it,” he said. “There’s no processes and procedures around the security piece and then all of a sudden, some malware come in and then it all kicks off.
“We have got involved in live instances where the customer realised their third-party system integrator or break-fix company really hasn’t the skillset needed and they bring us in too late.”
Goulding makes the point that finding that expertise can be a tough job at the best of times; sometimes decisions can be made quickly out of fear of an attack happening.
Finding that expertise is important and the credentials to support it can make the difference. For example, Integrity360 became the only company in Ireland - and one of four if you include Britain - to make it into Gartner Research’s Market Guide for Managed Security Services.
Out of 500 providers who offer managed security services, only 29 companies made the list.
The list represents providers that have core capabilities that represent the central requirements companies have needed. If such a small percentage of providers have met Gartner’s requirements, it can be tough for the average company to pick out the right partners.
“It’s a hard thing for companies to make the right decisions because like all things, there are good and bad companies in our space,” he explained. “The companies are getting caught out because they’re going for solutions, making investments in solutions that really don’t fit their needs or they’re behind the time.”
Getting the full return on investment
The other big issue is that these companies will have made a significant investment in tools and vendors but their lack of knowledge means they aren’t getting the full value from them.
Much of this is down to awareness of what these products can do; buying technologies is one thing but knowing how it slots into your business as a whole is where the real value comes from. Sometimes it can be a case of having the technology and not expanding upon the base settings.
“When we start dealing with a new company, we’re saying you’ve made this investment but you’re not getting the return on it because you don’t know what it does,” he explained. “You haven’t turned it on or you don’t have the right people to manage it, so there’s more and more of that happening.”
“They need to take a step back, look at what they’re trying to do, where are the big risks with the new way of working, and what are the processes we need to fix to make sure they’re working.
“Let’s have a look at the current investments and see if those tools can support our processes and procedures to keep us more secure and reduce our risks.”
The other area that Goulding sees increasing is insider risk. With more employees being furloughed, put in PUP or simply being laid off, there’s a greater risk of them taking data from the company and using it set up their own business or bring it to competitors.
This comes back to the issue of polices and procedures, something that organisations should reassess or rewrite entirely. With the office’s fixed parameter now replaced by a formless entity, many of the policy and procedures companies have are either out of data or ill-equipped for this world.
“All companies’ processes were not [designed] for so many people being at home,” he said. “With their incident response, where the data sits, and how the employees access the data, the landscape has very much changed from the use of remote working.”
While many companies have made a significant investment in technology, it may not be used in a way that best serves your business. This is crucial in policy where you need to know where the real risks are so you can properly protect yourself through methods like two-factor authentication.
A good example of this is incident plans where many companies will have one but it can be devoid of details once you dive into it.
“The amount of organisations who say they have an incident plan but when you look at it, it’s very weak,” he said.
“For remote working, the whole incident plan needs to be totally updated or changed. Companies need to take a step back and understand the risks, stop buying technologies, and bring the people along the journey on the processes and procedures behind it.”
“That’s where they really need to start.”