< Back to Blog
Service Announcement: The Right Questions to Ask Your Vendors in Times of Large-Scale Remote Working
Security Best Practices & Advice

Service Announcement: The Right Questions to Ask Your Vendors in Times of Large-Scale Remote Working

By Elad Shapira Mar 09, 20203 min read

In the wake of coronavirus, companies are now applying immediate work-from-home policies. This sudden and massive change poses a set of new cybersecurity risks and is forcing security teams to take immediate action. 

One of these cybersecurity risks emanates from the supply chain. While a large company may be able to quickly undergo the transition from a relatively concentrated workforce to a large-scale remote workforce, its supply chain partners may not. 

Get the best third-party security content sent right to your inbox

Thanks for subscribing!

In an effort to ensure the cyber resilience of the supply chain during these turbulent times, Panorays has readily made available the related vendor evaluation criteria, broken down to 18 questions. Companies are welcome to use these questions to assess their vendors’ preparedness for work from home. 

General

  1. Do you already have remote work practices and policies?
  2. How many of your employees already have remote work capabilities?
  3. How much of your day-to-day activity is suitable for remote working today? 
  4. What is your remote access mechanism?
  5. Which client devices are allowed to access your digital assets remotely?

Authentication and Authorization

  1. Do you enforce 2FA for employees with remote work capabilities?
  2. Do you enforce strong passwords for all employees with remote work capabilities?

Resilience and Business Continuity

  1. Is your network structured to support remote access for all of your employees?
  2. Do you expect operational problems or negative impact to your service due to remote access?
  3. Do you expect the pre-agreed SLA might be breached?
  4. Do you backup regularly and require your employees to use and save files only on company-related places (such as internal Google Drive or dedicated services)?
  5. Do you have redundant inbound connectivity for your facilities / internal systems?

Procedure and Processes

  1. Do you train your employees with dedicated security awareness for working in public places such as coffee shops or restaurants? In particular, are they instructed to leave the end point station locked and verify use of a secure Wi-Fi network such as by using an employee’s mobile phone?
  2. Did you train your employees with respect to the above procedures / processes before allowing remote working?
  3. Do you have clear procedures / processes / controls in place for verifying the authenticity of communications (email, phone, IM) with respect to activities such as fund transfers, account creation, account reset, etc.?
  4. Do you have a security solution protecting the end point stations (anti virus, EDR etc)?
  5. Do you have tools or procedures to support remote patch management for your servers, services and end-points?
  6. Do you have a secure manner of communication between employees working remotely?

These questions will help companies assess the cybersecurity risk emanating from their suppliers that have adopted work-from-home practices. 

It’s important to note that considering the sudden shift in business behavior, the regular spreadsheet evaluation process will not work, considering the time and human effort it requires. As such, automation of the process is essential. Doing so will allow companies to easily add questions without the need to resend the full questionnaire, track progress, measure and quickly calculate risk levels. Most of all, it will allow companies to quickly and easily scale this process to ensure their security policy is enforced throughout the supply chain. 

Want to learn more about making sure that your suppliers’ cybersecurity is ready for the challenges of COVID-19? Click here for more information.

Author Thumbnail
Elad Shapira

Elad Shapira is Head of Research at Panorays. As a cybersecurity lecturer and self-described geek, he likes hardware hacking, low level development, playing Capture the Flag and making and breaking things.

You may also like...
Jun 12, 2022 Why You Need Vendor Risk Management Software in 2022 Editorial Team
Jun 06, 2022 Responding to the Atlassian Vulnerability Demi Ben-Ari
May 02, 2022 5 Best Practices for Protecting Sensitive Information Shared with Your… Yaffa Klugerman
Get Started Free
We use cookies to ensure you get the best experience on our website. Visit our Cookie Policy for more information.
Get our latest posts straight to your inbox Subscribe