The reliance on third parties for business and government operations are at levels not seen since WWII. The ecosystem of partners, consultants, affiliates, agencies, and other supporting entities have become a core extension of daily operations. Within this ecosystem are supporting technologies, APIs, Service Accounts, devices, and streams of data. This complex mesh of people and technology presents many challenges. One of the most difficult of all is balancing the benefits of this extended ecosystem while managing and mitigating risk.
Understanding third-party risk depends on many elements, but the management of risk ultimately comes down to visibility. We cannot measure or mitigate what we cannot see. The relationship with a third-party begins with people, not organizations. Individual knowledge workers are the ones who get access to mission critical systems, applications and data. It’s ultimately the third-party individuals who pose the risk, not just the third-party organization.
Who or What is a Non-Employee / Third-Party?
A third-party is any entity, individual, organization, or even technology, typically with a written contract, that works with a company to provide services or products. In fact, the variability of what is considered a third-party highlights how broad and all-encompassing these relationships are. Some examples of third parties include:
● Business and Technology Consultants
● Third-party technology services
● Public Cloud Providers
● Business Partners and Affiliates
The Importance of Due Diligence and Non-Employee / Third-Party Risk Management
Managing risk in the third-party rich, modern enterprise has never been more important. A 2019 study from Deloitte, “All together now third party governance and risk management,” found that 83% of organizations had experienced a third-party security incident in the past three years. The study also concluded that roughly 20-30% of third-party risk management budgets should be spent on third-party due diligence.
This seems to be a fair review from Deloitte, as any relationship is built on the notion of trust. Quite frankly, we’re living in a zero-trust world. For organizations, due diligence is the commercial equivalent of knowing a person for a long while and building trust.
Areas of risk that require analysis during due diligence:
● Organizational Level - Information security and breach exposure
● Organizational Level - Compliance risks
● Organizational Level - Reputational damage potential
● Organizational Level - Operational and strategic issues
● Individual Level – Identity Proofing Checks
● Individual Level – Background Checks
● Individual Level – Social Media Checks
● Individual Level – Project Performance Checks
The Process of Building a Non-Employee / Third-Party Ecosystem that enables the business while reducing risk
Building a trusted third-party / non-employee ecosystem can be thought of as building a workflow process. However, it should be noted that a non-employee / third-party ecosystem management is an ongoing process akin to a lifecycle. It starts with due diligence –at the organizational AND individual levels, but also includes regular relationship-building exercises:
Pre-engagement and due diligence
Automated due diligence is conducted at the organizational and individual levels. This process often requires cross-organizational collaboration. The due diligence process often involves a series of documents, spreadsheets, and emails that go back and forth to capture the series of steps for individual and organizational onboarding. This process should be captured using a central repository, centralized workflow process, and audit trail that captures all steps in the individual non-employee / third party onboarding process.
Any red-flagged non-employee / third parties can be pushed through a remediation process. Fourth-party (e.g., sub-contracted via a third-party) visibility is often opaque. However, enforcing a centralized process, that can be securely delegated to trusted third parties, can make fourth, fifth, N-parties visible.
Once onboarded, automated risk management mandates that non-employees / third-parties are monitored to ensure adherence to policies, procedures, and regulations. Continuous monitoring includes ongoing risk assessment, reviews, and technology checks and evaluations.
Automated offboarding captures performance metrics and enables the appropriate business process such as knowledge transfer, documentation, disabling of access, etc. Post-engagement activities is another aspect of non-employee / third-party lifecycle management that ensures on-going security and risk mitigation, as well as audit readiness.
Anomalix is the first and only trusted identity management solution provider in the world. Anomalix is a global leader in Identity Management that works with business and governments to solve challenges focused on non-employee / third-party Identity Lifecycle Management. More specifically, Anomalix’s patent-pending, purpose-built trusted identity management system automates both lifecycle and risk management for non-employee / third-party individuals and services.
If you’d like to learn more about how Anomalix’s world-class solutions can help your business, contact us for a demo.