How Remote Work Has Changed On-Site Vendor Assessments

5 minute read

April 2022

by Sophia Corsetti

The pandemic caused a shift in how we think about the modern workplace. Pew Research found that 71% of workers were working from home at the end of the first year, and 54% of respondents wanted to keep those working conditions moving forward. However, IT departments were forced to implement technologies to support that quick transition without assessing risk management needs fully.

Home networks are not as secure as office environments. Not only do we have less sophisticated cybersecurity technologies at home, but we’re also less focused on security. People also use a wider array of devices at home, making it more difficult to keep software patched. In a recent survey conducted by Forrester, 80% of security and business leaders reported that remote work exposed them to more risk.

These issues are even more widespread than you think, as more vendors are involved in the business via remote work. Third-party risk management should not be overlooked in this new work environment.

Problems in Home Cybersecurity

The pandemic revealed many underdeveloped or lacking cybersecurity programs as they were stretched and pulled beyond their capabilities. Many new vulnerabilities were exposed, and bad actors moved very fast to take advantage. The Centers for Disease Control and Prevention reported the first COVID-19 case in the U.S. in late January 2022, and less than a month later, COVID-related spam emails were identified. Multiple events were recognized each week after, and the past two years became a cybercrime bonanza.

No one can predict when or to what extent we will go back to physical offices, but it is safe to prepare for a changing hybrid or fully remote ecosystem for the foreseeable future.

Hackers can exploit weaknesses, and the U.S. Cybersecurity & Infrastructure Security Agency reports that phishing and cybercriminal-for-hire schemes are on the rise. By the end of 2021, the data showed cyberattacks shifting away from big-name targets toward smaller victims that attract less media and law enforcement scrutiny. The increased volume of online traffic also provided the perfect cover for cybercrime.

This still holds true for both your company and your third-party vendors (and your vendors’ vendors, and so forth). Cybercriminals constantly search for the weakest links to open the door to valuable data, so third-party vendor risk management is more important than ever. You should be vetting vendors that have entry points into your system, no matter how insignificant.

Some vendor risk management compliance considerations include asking questions like:

  • Do they require multifactor authentication for remote access?
  • How often do they require security reviews?
  • Do your users have admin rights to their laptops or other devices?
  • What security training do they require employees to take?

And this is just the baseline. Any time vendors have access to protected personally identifiable information, you’ll need to be even more stringent. Reining in a remote workforce isn’t easy, but it’s necessary to reduce expensive cyber risks to the organization in everything from a supply chain risk management plan to the vendor onboarding process. Screening vendors in the remote work era provides its own problems, however.

Lack of On-Site Vendor Assessments in Remote Work

One problem with services going remote is the inability to perform on-site assessments. These assessments are necessary to visualize potential security risks and other vulnerabilities while confirming assessment questionnaire responses. On-site assessments can often take several days and are usually reserved for the vendors most critical to a company’s business operations.

It’s an immersive process that gives you real-time insight into what’s happening daily. The point is to look past the marketing materials to understand a business’s actual process. For example, do they have security cameras and key card access?

With remote work remaining prevalent, it’s a lot harder to perform such an in-depth analysis. Many businesses are slimming down their office presence. Even if the office is equipped with security features, an employee’s home might not be. This creates a lot of problems because access to your data and systems is no longer controlled in the same way.

The questionnaire doesn’t change, but how you ask the vendor to prove their responses does. Virtual assessment processes will need to change.

Performing a Virtual “On-Site” Assessment

An on-site assessment isn’t necessary for every vendor, so it’s typically reserved for the most critical and high-risk ones to ensure the business is protected. Today’s on-site assessments might still happen on-site, but it’s more likely that you’ll need to perform them virtually.

There are three ways businesses can adapt to assess the risk of working remotely when unable to visit a vendor on site.

  1. Secure Collaboration Tools

The vendor onboarding process should include secure collaboration tools for communication and data sharing. These include video conferencing platforms to virtually inspect areas you would normally see in person to assess vendor risk management considerations.

Video tools like Zoom, Teams, Facetime, and Google Hangouts let you have eyes throughout the campus. From there, you can have the vendor provide a virtual visual inspection of areas that would be a part of your assessment plan. This inspection is vital to identifying key risk indicators for vendor management.

  1. Break Up the Assessment

Because it’s virtual, the assessment could create issues when it comes to the details. The virtual work era comes with what’s known as “Zoom fatigue,” in which video conferencing causes a cognitive overload and shortens your attention span more than real-life meetings would. In fact, studies indicate that you might only have an engaged audience for the first 10 minutes of an hour-long meeting.

Combatting this fatigue requires breaking up the assessment so you don’t tire yourself out and miss important specifics.

  1. Adjusted Criteria

Now that remote and hybrid work are normalized, it’s time to revisit your criteria for on-site assessments to account for restrictions. Prioritize vendors, decide what can be handled virtually, and consider if you can remove any vendors from the visual inspection process.

You might find that the entire vendor onboarding process needs to be refined to adjust to this new environment. The need to vet suppliers will never go away, but you can also depend on recommendations from within your network by finding out who others around you are working with. Finding new ways of vetting vendors based on the increased risk of working remotely will help keep your business secure through these decentralized times.

Getting Started

It’s not easy to vet vendors while working remotely, but the need for vendor risk management has only increased in recent years. As vendors’ workers have migrated to remote and hybrid schedules, information security and cybersecurity teams are struggling to piece together secure supply chain risk management plans that account for all the possibilities.

It starts with vendor risk management. You might be able to control your own employees, but vetting vendors who have access to internal systems or sensitive data is also a crucial step in removing weak links from your organization’s cybersecurity. Contact us to find out how ProcessUnity can help.

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit www.processunity.com.