Immediate Gains Immediate Vault Immediate Access

Supply Chain Stability and COVID-19 Vaccine Delivery

As COVID-19 vaccines are rolled out around the world, effective risk management coupled with predictive analytics can help ensure supply chain stability to quickly and safely deliver them. Pharmaceutical companies and stakeholders around the world are scaling their vaccine roll-out, and concerns are emerging around logistical challenges of how to manage quick global distribution. One thing is clear: the entire supply chain’s stability needs to be monitored carefully, as a single fracture can have catastrophic effects on distribution of this time-sensitive vaccine.

Pfizer has designed an innovative logistical method to control vaccine distribution from manufacturing to local cold-storage facility. Much has been written about vaccine producers’ heroic efforts to secure upstream components such as glass vials, stoppers, and crucial vaccine ingredients, as well as the distribution packaging, including dry ice capacity, specially manufactured cold-boxes for vials, airfreight logistics and more. But very little has been reported on the downstream, or on-the-ground distribution of the vaccines around the world. As the vaccine touches down in states across the United States and countries around the world, the real distribution challenges begin.

As in every industry, risk originates in many places along the supply chain. Geopolitical risk, fraud, and third-party financial risk all must be understood if the vaccine is to reach the greatest number of people in the shortest amount of time. While some believe responsibility for distribution lies solely with individual localities, they are forgetting that the entire supply chain and logistics industry has a moral imperative to ensure that the vaccine is properly and fairly distributed.

Even with the best planning, plenty can go wrong, including:

Geopolitical Risk: If history has taught us anything, it is that some in power will manipulate the distribution of life-saving relief to their political advantage. Examples include the United Kingdom’s blockades of food to Ireland and India, Sierra Leone military juntas interfering with United Nations food relief, and Somali intelligence officers kidnapping the World Food Program’s local chief, among others. Closer to home, President Donald Trump tried to manipulate the distribution of PPE away from states that did not support his politics. Once life-saving vaccines arrive in local facilities, it will be a monumental task to distribute them fairly, and in a manner that does not give more power to local officials who seek to use them to further entrench corruption.

Financial Risk: Many organizations can stumble while rolling out distribution programs. Without proper chains of custody, fast financing, and quick due-diligence on third-party logistics suppliers, even the most well-oiled machines could fail to deliver the vaccine in a successful manner. The scale of vaccine demand is massive. Shortages are already present for raw inputs, and for critical infrastructure components. To meet these unique challenges, access to fair financing and payments should be guaranteed to all participants in the supply chain (i.e. no 90-day contracts for truck drivers who are moving the vaccines.)

Geolocation: Risks like natural and manmade disasters, lack of last-mile distribution, and poor infrastructure can all cause a single point of failure. The technology exists to ensure that vaccines are sent to the most geographically ideal local distribution hubs, and predictive forecasting should be employed to ensure the most timely deliveries.

Since risk can originate anywhere along the supply chain, everyone involved in the logistical aspect of vaccine storage and distribution needs to assess the existing systems to calculate and correlate risk. Leveraging technology is the best way to gain visibility. Rather than rely on gut instincts to determine supplier and partner risk, those in charge should use data to make decisions and consider implementing automated intelligence technology to actively predict and correlate how a change in geopolitical risk will affect the financial health of suppliers. Proactive planning is not only crucial for continuing rollout of vaccines for the current pandemic, it is also paramount in being prepared for the next pandemic.

Closing the Vendor Security Gap

What do organizations really know about their relationships with their vendors?

It’s a question that most companies can’t answer, and for many, that lack of knowledge could represent increased risk of a security breach. This year, Bomgar conducted research into vendor security on a global scale, and the findings underscore that much work remains to be done to shore up third-party security.

The 2016 Vendor Vulnerability Index report produced eye-opening results that should be a wake-up call for business leaders, CIOs and senior IT managers. The survey of more than 600 IT and security professionals explores the visibility, control, and management that organizations in the U.S. and Europe have over external parties accessing their IT networks. Some of the most surprising statistics are summarized below:

  • An average of 89 vendors are accessing a company’s network every week.
  • 92% of respondents reported they trusted their vendors completely or most of the time.
  • 69% said they definitely or possibly suffered a security breach resulting from vendor access in the past year.
  • In the U.S., just 46% of companies said they know the number of log-ins that could be attributed to vendors.
  • Only 51% enforce policies around third-party access.

It’s evident from these findings that third-party access is pervasive throughout most organizations. What’s more, this practice is likely to grow—75% of the respondents stated that more vendors access their systems today than did two years ago. An additional 71% believe this number will continue to increase for another two years.

Two-thirds of those polled admit they have a tendency to trust vendors too much—confidence that should be questioned based on the results of this report. The data revealed that, while most organizations place a high level of trust in their vendors, they still have a low level of visibility into how vendors are accessing their systems.

This contradiction is not something organizations should take lightly. As noted above, 69% of respondents admitted they had either definitely or possibly suffered a security breach resulting from vendor access. An additional 77% believe their company will experience a security issue within the next two years as a result of vendor activity on their networks.

As an organization’s network of vendors grows, so too does the risk of a potential breach. For most companies, it is essential that third-parties have access to sensitive systems as a course of doing business—the question centers on how to grant this access securely.

Historically, companies have used VPNs to provide network access to third-parties. While appropriate for the intended end-user—remote and/or traveling employees—issues arise when the scope of VPN is trusted to manage connections from external groups. If a system connected via VPN is exploited and used as a point of persistence for leap-frogging into the broader network, hackers can persist for days or months and move stealthily about the network. Companies have also seen malicious (or well-intentioned) insiders choosing to abuse their access to steal or leak sensitive information, as this is all made fairly trivial when leveraging open-ended VPN connectivity.

To balance the dual demands of access and security, companies need a solution that allows them to control, monitor and manage how external parties are accessing their systems. Rather than providing “the keys to the kingdom,” a modern secure access solution enables organizations to grant vendors and other third-parties access only to the specific systems and applications needed to do their jobs.

To ensure security, organizations should also select a secure access solution that provides video and text logs of all session activity. This allows companies to monitor how remote access is being used and, perhaps more importantly, by whom. With this technology, any suspicious activity can be immediately flagged for further investigation. In addition, these session forensics can help companies meet internal and external compliance requirements.

Another secure access best practice is to employ a password/credential vaulting solution. This enables organizations to mitigate the risk of credentials shared between privileged users, which are often the target of a threat actor. It also reduces the risk of what system administrators often think of as “the stickynote nightmare,” where a sensitive credential is written on a stickynote and stuck on someone’s monitor for all who walk by to see. Password vaulting technologies also help with the dangers posed by embedded system service accounts that have administrative privileges and are rarely rotated for fear of bringing critical business services down. A small, yet strong initiative to protect network security would include requiring every privileged user to access credentials required for elevated work via checking out of a password vault. This removes most of the challenges associated with sharing credentials as, once they are checked back in, those credentials can be immediately rotated and thus become unknown to the employee or the bad actor who may have stolen them. Incorporating multi-factor technology in order to access the password vault and other sensitive systems takes it a step further.

In today’s heightened environment, following these steps should be essential security best practices for any company allowing vendors or other third-parties to access their network.

The Vendor Vulnerability Index report suggests that companies are aware of the threats posed by ineffective management and poor visibility into vendor access. Yet, as the data shows, just slightly over half of the respondents are enforcing any policies around third-party access. In light of these findings, companies should also ensure that they are properly screening any third-parties with whom they share network access. For example, does the vendor provide security awareness training as part of their employee on-boarding process? Asking this and similar questions will give companies a clearer picture of the vendor’s security ethos, and help them to determine if the partnership is a good fit to begin with.

In order to combat this growing vulnerability, organizations need granular control over external access. Only with such a solution in place can companies feel confident that their vendors won’t unintentionally become their weakest security link.

Hidden Exposure: Protecting Your Business with Third-Party EPLI

Coffee shop
In today’s increasingly litigious society, harassment and discrimination are trending upward. To protect your business from workers’ claims, including wrongful termination, breach of employment contract, wrongful discipline, failure to employ or promote, sexual harassment and discrimination, you likely have employment practices liability insurance (EPLI) in place.

But if your employees frequently deal directly with the public, there may be a glaring gap in your coverage. Your business and workers may also be at risk for harassment or discrimination claims from a customer, client, supplier, vendor or visitor. The bad news: these types of claims are not covered by commercial general liability insurance or standard first-party EPLI.

To protect your business from customer or client allegations, third-party EPLI is the answer.

The types of wrongful acts typically covered by third-party EPLI are discrimination and harassment. Discrimination can include claims based on nationality, sex, disability, age, race, religion, pregnancy or sexual orientation. Harassment can take on many forms, such as unwelcomed sexual advances, requests for sexual favors, and other types of verbal or physical abuse. Third-party EPLI reimburses your company for court and legal fees, as well as any settlements between the business and the accuser.

Third-party EPLI may be appropriate if you frequently meet with clients or deal with vendors. And it is absolutely essential for businesses that interact with the public. Examples include large customer service teams, cable television installers, contractors, restaurant, hotel and transportation workers, and real estate agents.

For example, a customer sued a New Jersey gas station after being sexually assaulted by an attendant who was filling up her car. The woman claimed the station attendant made inappropriate advances, performed a lewd act and touched her while she was buying gas, according to NJ.com. The woman also claimed that another employee at the gas station did nothing to prevent the incident or intervene during it.

In another example that made national headlines, thousands of African American patrons of Denny’s restaurants claimed they were refused service, were forced to wait longer, had to prepay for food, or pay more for food compared to white customers, the New York Times reported. These claims, which totaled 4,300 and spanned several years across multiple states, culminated in a class-action lawsuit against the national restaurant chain. Denny’s settled the suit in federal court, and members of the class-action suit were awarded $54 million for damages.

Starbucks was sued in federal court by a group of 12 deaf customers who said they were mocked and mistreated at a coffee shop in New York City. The group claimed being harassed multiple times because of their disability. During one instance, a Starbucks employee called the police in response to a group of deaf patrons who met at a Starbucks to hold their monthly Deaf Chat Group, although the patrons were paying customers, according to USA Today. The police apologized to the patrons and reprimanded the employee for calling the police when there was no illegal conduct.

As you can see, the level of interaction a company has with those who might claim a wrongful act, and the industry in which you operate, can affect the cost of third-party EPLI. Other factors come into play as well, like whether you’ve been sued in the past over employment practices.

While third-party EPLI helps defray the cost of lawsuits and judgments brought against your business, one thing it doesn’t protect is your reputation. Therefore, forward-thinking employers are doing more than just purchasing a third-party EPLI policy; they’re also taking steps to make it less likely they will have to use that policy. Effective training and education, no matter your level of exposure, can help prevent claims of wrongful acts against your business or employees. Creating training programs to educate employees on what constitutes harassment and discrimination, as well as putting processes in place about what to do in the event of an allegation, are good starting points.

When screening and hiring new employees, it is essential to create programs that help your hiring team vet candidates solely on their qualification for the job. Documenting your process helps everyone understand the requirements and will provide backup should issues arise.

It’s also a good practice to display all corporate policies as they relate to hiring and worker conduct in employee handbooks so the policy is available to everyone and can be reviewed when necessary. Many companies also ask employees to sign a document affirming they have read the employee handbook.

Unfortunately, all of the education and training in the world can’t stop a customer or vendor from claiming harassment or discrimination by one of your employees. But a carefully developed third-party EPLI plan that assesses your exposure and helps you completely cover your business can minimize your risk.