Skip to main content

Risk appetite in the age of the non-employee

(Image credit: Image source: Shutterstock/gpointstudio)

Organisations are always on alert for traditional security threats like phishing, ransomware, or distributed denial of service (DDoS) attacks. But IT leaders also need to be prepared for the potential impact external events (i.e. industry-related, market trends, global events such as health issues) can have on operations. No matter how resilient organisations believe they are, they may still be vulnerable through channels they have not considered.

To effectively safeguard an organisation, it is vital for risk, security, and IT leaders to have a shared understanding of their organisation’s risk appetite, which is the amount of risk the organisation is willing to accept in pursuit of its objectives. This provides security and IT leaders with a baseline to refer to as they monitor the organisation’s risk exposure - especially in heightened risk environments - and make recommendations to adjust risk tolerances. Many organisations choose to accept more risk in exchange for the operational advantages that third-parties are able to provide, especially those with specialised skill sets. However, organisations should ensure that such decisions are aligned with their risk tolerance. Organisations that have well-managed risk strategies are actually able to accept more risk in their operations and can facilitate a broader range of business initiatives. This also helps organisations better prepare themselves for high-risk situations, such as disruptive market or world events or other vulnerabilities.

Awareness is particularly important to have in areas of acknowledged high risk, such as the utilisation of third-parties, or “non-employees”. Non-employees are individuals or even “things” outside of your organisation that complete work for your organisation, such as contractors, vendors, partners, affiliates, volunteers, students, bots, or service accounts. According to an Opus Ponemon study, this population is responsible for more than half of all data breaches, and only 16 per cent of organisations say they can effectively mitigate third-party risks. As organisations increase the number of third-parties that have access to internal facilities, systems, and data, so does their risk exposure. Unfortunately, most organisations only manage third-party risk at the organisational level to assess whether a third party has sufficient security controls in place. While this assessment is important, it represents a macro approach to third-party risk management. For organisations that desire a more atomistic understanding of their risk, it is important to evaluate exposure at the individual third-party identity level.

So how can organisations across industries best manage third-party risk and gain the operational agility they need, especially in times of heightened risk? Here are three tips:

Ensure third-party risk is inline with risk appetite

According to a 2018 Ponemon Institute study, most organisations don’t know their exact number of third-party users, and only one third of organisations had a list of all third parties with which they share sensitive information. Managing third-party risk at the organisation level does not provide the granularity needed to effectively align third-party risk practices to risk appetite.

Organisations should risk-rate third parties at the individual identity level in order to get a comprehensive understanding of their risk exposure. While individuals can inherit the risk profile of their employer, it would be an oversimplification to assume that each individual does not have characteristics that may make them more or less risky to the organisation than some of their peers, like their work history, location, role, and level of access. By risk rating each individual non-employee, organisations can ensure that access is based on least privilege, meaning the appropriate privileges are on for the appropriate resources at a specific point in time, and that access is terminated in a timely manner when it is no longer required.

Risk-rate and audit third-party populations

Most organisations have no way to centrally track and manage relationships with non-employees, including the types of access to enterprise assets they require and the individual risk they pose. Many have attempted to solve the problem - unsuccessfully - by customising their existing human resources or identity and access management (IAM) systems, while others have tried to build their own proprietary systems. These systems are insufficient in many ways. One important difference between employees and non-employees is that data needs to be collected collaboratively from sources both inside and outside the organisation. However, the most consequential of which is their inability to assess the risk associated with each of these individuals. 

Comprehensive, contextual information needs to be gathered and evaluated for each third-party user and risk ratings should be completed to ensure that the right individuals have access to the right systems and information for the necessary period of time. With this granularity, organisations can proactively audit third parties at the individual identity level, and in situations where a risk tolerance has changed, make any access adjustments needed. This empowers an organisation with the operational agility needed to be successful throughout what might otherwise be disruptive systemic or market events.

Commit to ongoing access adjustments

Vigilance is important outside of heightened risk scenarios, as well. Many organisations will be surprised to learn how many non-employees have access to sensitive information that is not needed to do their jobs. To be effective in third-party risk, organisations need to do their best to accurately provision users, but also implement regular audits to ensure that access is appropriate to each non-employee’s current needs.

Untimely termination of access is an issue that plagues organisations. Often this occurs when a user terminates employment with their third-party employer without the organisation’s knowledge. It can also occur when a user switches to a new project or role that may require less privileged access. Many organisations often adjust access in increments but fail to consider decrements, leaving users with access they no longer require and as a result expose the organisation to additional risk.

The reality for most organisations today - regardless of size - is that third-party non-employees play a critical role across many business functions, but they also increase an organisation’s exposure. According to the Verizon Insider Threat Report, third-parties are one of the top five insider threats posed to organisations, showcasing why organisations must prioritise third-party risk management programs. With such effective third-party identity risk management, organisations can improve their operational agility and position themselves to better mitigate the risk of breaches, especially in times of heightened risk. As organisations develop crisis or contingency plans for high-risk events, they cannot afford to forget non-employees, who make up an increasing and sometimes overwhelming percentage of their workforce.

In the midst of digital transformation and with the reality of heightened risk scenarios occurring with more regularity, organisations need to take a more granular approach to their overall third-party risk management -- especially the non-employee.

David Pignolet, co-founder and CEO, SecZetta