Cybersecurity and the Remote Workforce: The Role of IT Procurement
(Source: Thirdman on Pexels)
Brought to you by WBR Insights.
Today's procurement processes operate on multiple platforms and technologies, across borders and oceans, and within multiple integrations between enterprises. Inevitably, sensitive data such as bank account numbers, credit card numbers, invoices, bid information, names, addresses, and even customer information must be shared between parties, whether it's between two co-workers at the same organization or between a procurement department and a supplier on the other side of the world.
When the entire workforce is working from the office, it's easier to keep data secure and manage access to the organization's procurement systems. Employees can log on using company machines, and physical security measures can help to prevent technology from being lost or stolen.
But when some or most of the workforce is working from home, cyber risks can escalate. Both the procurement and IT departments have a role to play in protecting company property and data while the workforce is working remotely.
The Cyber Risks of Remote Work
Remote work has many benefits, but it is innately risky from a cybersecurity perspective. Logistically, remote work creates some significant challenges to both mitigating and responding to cybersecurity threats. According to Security Magazine, "Unfortunately, data breaches will take longer to detect and identify due to the increase in remote work. With the increase in phishing and ransomware attacks, most companies are already compromised—and they aren't aware of it."
Procurement and IT departments must first be aware of the key security vulnerabilities that arise due to remote work. Here are some of the most prominent.
Use of Personal Devices
Organizations have little to no control over how employees use their personal devices, as they are personal property. But many remote workers handle company files and data using their personal devices.
If the employee isn't properly securing their device, this increases the risk of a data breach via that employee's personal device.
Unencrypted File Sharing
Employees who are used to sharing files and data within a secure company network may mistakenly share unencrypted files when working from home. For example, co-workers who communicate via an unauthorized channel like a chat tool may share sensitive company information without realizing it's unencrypted. Similarly, consumer-grade file-sharing tools typically don't offer the same protections as those designed for enterprises.
Unsecured Wi-Fi Networks
Most "public" Wi-Fi networks are "unsecured," which means they are unencrypted and not password protected. For example, some Wi-Fi networks at coffee shops and restaurants are unsecured.
If an employee transfers sensitive data over an unsecured network, anyone monitoring network traffic could potentially access that data. Furthermore, some hackers create what are called "Wi-Fi Honeypots" in which they mimic legitimate Wi-Fi networks to entice users onto their unsecured network.
Social Engineering Attacks
Social engineering attacks refer to any type of cybersecurity attack that leverages psychological manipulation to cause a breach. Phishing scams are the most common type of social engineering attack, accounting for more than 80% of reported security incidents.
In a phishing scam, a hacker sends an email that appears to be from a legitimate source, such as a co-worker, superior, or third-party provider. But the email contains a malicious link or a file that contains malware. Trusting the sender, the user then downloads the malware onto their computer, infecting the system and potentially exposing company data.
How Procurement Can Keep Company Data Secure
Thankfully, there are some concrete steps the procurement function can take to help secure company data when working remotely.
Deploy Robust Cybersecurity Solutions
When employees are working remotely, any cybersecurity protocols that are in place within the organization must be extended. While employees should have personal cybersecurity solutions in place (such as anti-virus software), the organization must be able to provide security features to employees remotely.
Many organizations successfully secure their remote workers by procuring and deploying security tools like the following:
- VPNs (virtual private networks)—A secure, private network connection created across a public network connection, such as the public internet.
- Enterprise Password Management Tools—A centralized password management solution that stores, generates, and manages passwords for employees across the organization.
- Encryption Tools—Software that encrypts data so that it can't be intercepted mid-transfer from one system to another.
- Remote Desktop Access Tools—Software that remotely links an employee to a company computer by creating a secure, virtualized desktop on their personal device.
- Next-Generation Firewalls—A cloud-based firewall service that allows employees to leverage company policy management, threat protection, and threat management capabilities remotely.
Platforms like Salesforce can also help by creating a secure, cloud-based workspace for the entire organization, complete with tools like filesharing.
Collaborate with the IT Department
Collaborating with the IT department necessary to establish rules, procedures, and guidance for remote workers. The IT department can also assist procurement in selecting and deploying security solutions, such as encryption tools and remote desktop access tools.
Launch an Employee Education Program
Employees who work remotely, whether they are full-time employees or contractors, must be educated on the cyber risks of remote work. This should be a formalized program across the organization.
Coordinate Security with Suppliers
Procurement professionals will likely share files and data with suppliers while they are working remotely. But even if your organization has taken every step to keep your employees secure, it must also mitigate third-party risks from suppliers.
Ensure any third party that engages with your organization complies with your security standards, including your security standards regarding remote work.
Cybersecurity and Data Protection in the Procurement Function
Remote work is quickly becoming a normal way of doing business, with many procurement teams are considering making some remote roles permanent. Although this creates new opportunities for cost savings and talent sourcing, it also requires a more extensive approach to cybersecurity. Procurement leaders must deploy a range of cybersecurity solutions and processes to protect company data.
Cybersecurity and data protection is set to be a hot topic at the next ProcureCon IT event.