“Good Enough” is just not enough anymore!
Breaches from non-employees keep coming and coming! If your organization doesn’t make a diligent effort to manage them, you may be the next to join the ranks of non-employees. The process of managing non-employees is a business process, and a complicated one, plain and simple. But does it need to be? We believe the challenge can be addressed by looking at it through a different lens. Companies are addressing problems across the enterprise by dropping the “it is how we have always done it” mentality and embracing technology, process, and business change. Keep reading you will see!
The old meets the new!
Companies are finally getting around to third party risk and the task of ensuring partners are adhering to acceptable security standards for handling their data. This is being driven by the fact that companies are relying on their supply chain more and that the number of breaches tied to a third party are on the rise. According to a recent Ponemom institute survey, fifty-six (56%) percent of organizations surveyed, said they had experienced a data breach stemming from a third-party. The reality we fear is far worse, as nearly all the companies we speak to admit to not even knowing if a breach has occurred. In fact, most companies we speak to say that the real challenge is the lack of control and centralized process for how vendors AND non-employees are managed. For companies looking to address third party vendor risk, we applaud your efforts but offer a word of caution that you can’t address the vendor process without addressing the people process. There are countless breaches that can be tied to poor internal controls, Target being one of those cases where it was the HVAC vendor credentials being hacked that was the cause of the breach.
When it comes to non-employees, most companies have a poorly executed process (If one exists at all!) for managing the coming and going of non-employees. In some cases, companies rely on the business to collect pertinent information needed to onboard a non-employee and then maintain the accuracy of that data over time. The reality however, is that once that person is onboarded, it is rare that anyone pays any attention to the initial information collected let alone if that person is still working for the vendor they originally came in from. The non-employee population is diverse and complicated, each population type requiring different information, process, approvals, etc., making a one-size fits all approach inefficient.
It is safe to say, you can’t blame the business, you must blame the process. Managing people can be a full-time job, look at the number of HR people needed to manage full-time employees (~1.08 per 100). So why is it when it comes to non-employees, companies have little to no investment in people and the market has yet to create a solution to address. Until now that is, but we will get to that in a bit, first let’s look at what is really happening.
In the past 24 months here is what 98% of the companies we talked to have told us about managing non-employees.
- We have our non-employees in our HR system but struggle to address all non-employee types. Meaning it is a one size fits all, static, cumbersome on the business, and 100% does not involve partners in the process. Our teams (HR, IT, Business) spend north of 2 hours per non-employee collecting, transferring and entering information/data into different systems. In the end, the data entered (if accurate) does not tell us enough to make it actionable and relationship data is not established. The traditional manager to employee hierarchy does not apply when it comes to non-employees because it might be an employee in a group responsible for non-employees, this is just one area our HR system falls short.
- We customized our IAM process to address third party, non-employees because there was no other system or internal ownership. This stresses our IT team due to the lengthy, manual and ad-hoc process of gathering, communicating and tracking information about people. Once the information is gathered and access granted, the data becomes stale and nearly impossible to keep up to date.
- We built a homegrown system to address non-employees years ago but the person who originally designed the system is long gone, it is built on an old programming language and there is no one in the organization that knows the code. We are stuck with outdated processes that address only a portion of our non-employees, have created countless workarounds and customization to other systems and still barely address the needs of the business.
When we dig in a bit more and look at additional challenges faced with each approach you can really begin to see why companies struggle to get control of and mitigate risk associated with third parties.
- Requires unique skillset to build and maintain.
- Based on point-in-time business requirements that change often requiring more services.
- Costly services engagements that go on forever as business needs change.
- Contractor onboarding process is limited to managing access only.
- Ownership falls to IT and HR limited involvement from LOB.
- Relies heavily on business users, does not allow for collaboration with partners.
- Can’t manage relationship for complex relationships or data to trigger events (transfer, terminate, etc.).
- No ability to manage identity risk and can’t take action against vendor risk. All identities are created equal regardless of vendor or nature of engagement.
- Does not cover non-human identities.
- Results in a solution that is very fragile and not upgrade safe.
Mind the Third Party Gap
Regardless of approach, every company we speak to has a set of common challenges, or Third Party Gaps as we like to call them.
- No ownership (HR, IT, Business)
- Processes not clearly defined
- Different populations with different requirements
- No single centralized authoritative identity source
- Lack of understanding of risk (Identity, organization, access)
- Unactionable relationship data
- Lack of data integrity
- No self-service or delegated admin functionality
- Difficult to know who is still engaged
- Inability to take action on change of partner relationship
- Lack of auditability
These gaps, when left unaddressed present weaknesses that hackers can and do exploit to penetrate a company’s systems. All of these gaps make it nearly impossible to answer key questions such as:
- How many non-employees do we have working for us right now?
- How many non-employee accounts are still active that should not be?
- If we were audited today could we quickly and easily run accurate reports on all non-employees, their sponsors, and their current status as well as what access has been granted?
- If a vendor is terminated or a breach occurred at a vendor today, how long would it take to track down and disable access to all non-employees from the vendor?
- When non-employees are trying to gain access to systems, is there a way to validate the non-employee is who they say they are?
- When a non-employee is being onboarded, is there a way to validate this person is not an ex-employee fired for cause, and flag as “do not rehire”?
- Who are our riskiest vendors and how does that translate to the number of non-employees working for the organization from each?
Think differently, the “old way” isn’t good enough
Einstein was onto something, sometimes it takes a different approach. Companies should be thinking about their third party supply chain, what it looks like and how they interact with the vendor and the non-employees. What are the business and IT requirements for each population type and how should we be managing them? Then look to establish an authoritative source that is capable of handling the complexity of ALL population types, involves the business in the process, can establish and create identities, establish relationships, manage risk and enable collaboration across the enterprise and partners.
By having a single authoritative source and centralized identity lifecycle management, companies can:
- Streamline and automate business processes to more efficiently collect and maintain identity information for all populations
- Account for and manage all identities appropriately
- Better understand and manage the risk of each identity (people and things)
- Improve downstream governance and administration of access
- Improved end user experience
- Bring the business into the process of managing and owning third party, non-employees
- Maintain a single identity for the many relationships a person may have with an organization
- Achieve compliance for 3rd party people (i.e. GDPR)
- Gain full auditability of identity lifecycles
Vendor management, IT Security, HR, Legal, Internal Audit – all have a vested interest in ensuring that third Parties/non-employees are managed at least as well as employees to avoid opening the business to high risk. The reality for many organizations who continue to try and address the challenge via third party risk management and existing system such as HRMS or IGA, is they will be only tackling part of the problem. These systems were all designed with the organization or internal employees in mind and never built out functionality to handle the vast complexity that comes along with non-employees. To do so now is like fitting a square peg in a round hole.
The good news is, solutions exist that will enable your company. Companies can reduce the risk of non-employees while raising productivity and improving service to the business via automation and centralization all while working within your existing environment. The solution, however, should have the ability to establish relationships between non-employees and employees, like a traditional HR system. It should allow for automated workflow for provisioning and de-provisioning of identities, like a traditional IGA system. Lastly, the solution should allow for the risk rating of each identity for transparency and risk based decision making, like a GRC solution.