By now, talking about the changes wrought by the pandemic as the “new normal” has become a cliche. But the phrase gets thrown around as often as it does for good reason: many of the changes that came at us hard and fast in March 2020 have shown real staying power. When it comes to the workplace, many organizations are still reeling from the transformation to work-from-home and the ripple effects of the great resignation.
But on top of all the other ways workers are having to adapt to pandemic-driven change, the shifts in workplace norms also bring a unique set of risks. In the last two years, third party risk management (TPRM) has become more important than ever. But at organizations already shaken by so many other unexpected challenges, the investment in TPRM hasn’t necessarily met the increased need.
To adequately prepare for the TPRM risks of the day, organizations should be thinking about several of the notable ways the “new normal” of work involves third party risk.
Remote Work Products Introduce New Third Party Risks
Nearly two years have passed since organizations around the world had to scramble to get employees set up for work-from-home with no warning. According to research from Owl Labs, 70% of full-time workers in the U.S. have now worked from home. For a sizable portion of those employees, a taste of work from anywhere (WFA) was enough not to ever go back. One-third of them say they’d quit their job before returning to the office.
But accessing internal data, materials, and software remotely presents its own security risks. And the products that make that access possible add a whole new set of third party relationships organizations must depend on. In one Tenable report, 74% of organizations blamed a recent cyberattack on remote work tech vulnerabilities. And 80% of security and business leaders believe remote work makes their organization more open to risk.
Remote work is here to stay—the companies that try to force workers back into the office are learning the hard way how quick people are to quit over it. Accepting the realities of WFA means accepting that there’s more work to do to protect the organization and employees from the increased risk that comes with it.
More Employee Devices Mean More Vulnerability
This isn’t a new problem. This blog has been covering the risks associated with employees working from personal devices for close to ten years. But as the lines between work and home have blurred, so have the lines between which devices are for work and which are for personal use. Many employees working from home do so from their own laptops and tablets or keep up with email and other work tasks on their phones while on the go.
And if anything, hybrid models make this worse, as having in-office computers and at-home computers just means more devices overall. The more devices work data and programs live on, the more points of vulnerability are introduced.
TPRM Talent Shortage Leaves Organizations Under Protected
These increased risks are less of a problem for organizations that have a strong TPRM department with enough people and resources to adequately address them. But that’s hard to pull off for most organizations, due to the ongoing TPRM talent shortage. When the risk management employees you have are overworked and overwhelmed, having proper knowledge and good intentions isn’t good enough.
Add to that the number of people needing to take more time off due to COVID-19 sick leave or pandemic burnout—something many businesses faced in early 2022 with the omicron wave—and the risks is only compounded.
Business Data Could Leave With Employees
In 2020, around 3.95 million people quit their jobs each month, a number notably higher than any other recent year. The tide of employees leaving for other opportunities (or to spend more time with their kids, or because they simply need a break) creates plenty of problems for businesses that end up short-staffed and lose institutional knowledge in the process. But that’s only part of the problem, another issue that could be easy to overlook is the data they take with them.
In a 2016 analysis, Osterman Research found that 32% of companies had problems with employees keeping corporate data when they leave their jobs. TPRM teams have a big enough job getting current employees to maintain safe practices around business data. But if that data leaves the organization completely when an employee does, your ability to keep it secure goes with it.
Employee Burnout Increases Social Engineering Risks
Too often, people are the weak spot in an organization’s defenses—they’re only human, after all. And unfortunately, the employee burnout impacting organizations across industries right now makes this risk worse.
Research from Tessian found that 93% of employees in the US and UK report feeling tired and stressed during the workweek. 10% say they feel tired every day. That’s already an issue organizations should be concerned about, but making matters worse, 52% of employees said they make more mistakes when they’re stressed and 43% mess up more when tired.
For anyone familiar with cybersecurity, the risk this presents is clear. Criminals frequently use social engineering to trick people into handing over the information they know should be confidential. When people are tired, stressed out, and distracted, even savvy employees that would normally know better become potential targets for this type of crime. That puts the whole organization at risk.
And the more employees you have that are exhausted and stressed out, the higher your risk.
Know Your Risks
Staying on top of TPRM requires paying close attention to trends and evolving risks. The current state of work brings a mix of business challenges that risk management professionals must be on guard for. Knowing the specific types of risks you face is just the first step to addressing them, but it’s an important first step. Crafting a risk management plan that takes into account all of the security challenges that come with the “new normal” of work is crucial for keeping your organization protected.
