Third Party Risk, a Vendor or People Problem?
Organizations often rely heavily on third parties for improved profitability, faster time to market, competitive advantage, and decreased costs. These relationships involve sharing data of all sorts, much of which is sensitive. Third parties can be just about any entity with whom you do business with; part-time workers, contractors, law firms, marketing and PR firms, accounting and financial services firms, government agencies, software vendors, any company that provides a service for your operations.
Third-party relationships, however, come with multiple risks, including strategic, reputational, regulatory, information security, and financial risks. Penalties and reputational damage from non-compliance, supply chain disruptions, security breaches, and data thefts involving third parties are driving companies to continually evaluate third party risk. CISOs are increasingly nervous about the ” third-party problem”, so is it enough to just address third parties from the vendor perspective when IT Security leaders know that people are often the weakest link?
According to a 2018 report from PwC,: “A shocking number of organizations are not doing all that should be done to prevent third-party data breaches” and in the latest Ponemon Institute survey, “fifty-six (56%) percent of organizations said they had experienced a data breach stemming from a third-party”.
Knowing The Risk with Third Parties
Regardless industry, if your company uses third parties to help run the business then it is likely that some level of assessment is being done to approve vendors. This is a crucial step in reducing and controlling the risk associated with sharing critical information. When a company conducts an assessment of their partners and vendors they are looking to ensure that the company has the same level of standards and protections in place to ensure the data being shared is treated as well as or better than internally. The challenge however, is in the management of the people from the vendors. These people are often an extension of a companies workforce referred to as non-employees. It is here where many companies struggle to address one of the biggest risks posed by a third party relationship.
The Business Needs to Hire Non-Employees
In order to work with non- employees, companies must onboard and approve these individuals to work and have access to company assets. In some cases access is defined as a physical location, network access, or both but could be much more. These non-employees are being granted the same if not greater levels of access in order to conduct their job yet receive a fraction of the scrutiny of a full-time employees or even the vendor from which they are being hired from This is due in large part to the fact that most companies do not have one single department responsible for managing non-employees, in fact they are being hired and brought into the organization by many different departments making it seemingly impossible to manage effectively and leave a HUGE gap in a companies third party risk program.
Just like how companies put requirements and policies around how vendors are managed, they must do the same for the non-employee populations being brought in from the vendors. Evaluating, scoring and holding vendors and partners to a higher standard must carry all the way down to the individuals themselves. How a company onboards, tracks and manages non-employees should be as important if not more important than how the vendors are managed. The weakest link in most data breaches can be tracked back to the people, so companies need to really think about how they are handling non-employees from start to finish. The most recent data breach at a large healthcare organization is just one of many examples where poorly managed credentials were hacked and used to infiltrate the organization to gain access to customer data.
Can It Be Done?
In order to manage third party risk effectively your organization needs to know what vendors you are doing business with and have controls in place to ensure they are being held to the same standard as your organization. Equally as important is the need to know who from those organizations are now being granted access to your buildings and physical assets, systems and data. In order to effectively manage access you need to manage the identities. Companies that establish a process by which they can track vendor risk down to non-employee identity risk and lifecycle processes have really figured out how to mitigate third party risk. It comes down to knowing who is working for your company and what their relationship is for doing business.
You should be able to answer the following questions:
- Who are my third parties?
- Who has relationships within the organization with these third parties?
- Who has vetted these third parties?
- Who has evaluated the risk of granting these 3rd parties’ access?
- What controls have been put in place to ensure we only grant minimum access to these 3rd parties?
- Who’s re-validating these 3rd party relationships on a regular basis?
If your company is thinking along these lines and can answer these questions then your organization is doing an effective job at addressing the risk associated with third parties. We know that people are often the weakest link, and so do hackers. Now all you need to do is take the next step.
What Should My Organization Do Next?
The key to a successful third party vendor and identity risk program is to know who your vendors are, what risk they pose to your organization, and who will become non-employees from that organization. Once you know this having a SYSTEM that can do the following is a good start:
- Enables the business and partners to provide the appropriate information for each non-employee population type
- Inherits risk from the vendor to the identity
- Establishes relationships and ownership of individual non-employees
- Creates and maintains an identity and tracks lifecycle task and events
- Connect to all internal security policies and controls for granting and governing access
- Mechanisms for knowing when non-employees are no longer working for a specified vendor or when a contract has ended
The way companies address third party identity risk, streamline and improve existing manual ad-hoc processes is by deploying a single source of record for all third party, non-employees, a partner collaboration tool that involves the various business units and partners in the process, and can establish, manage, and track lifecycle changes to effectively improve business operations while mitigating as much risk as possible. To learn more about how Third Party Identity Risk and Lifecycle Management can support your existing efforts click here.