Managing Third Party Risk Part 2: People-Centric Considerations

August 20, 2020

People and data are intrinsically linked and because of cyber-risk factors such as social engineering and insider threats, people pose a key risk to an enterprise as both a collection and as individuals.

A Ponemon/Opus study found that an astonishing 59% of companies suffered a data breach that originated with a third-party, yet only 16% admit to using effective risk mitigation strategies in the first place. The study also found that, on average, per company, confidential and sensitive information is shared with a staggering 583 third-parties. Furthermore, only around one-third of organizations keep a comprehensive inventory of third-party information. Unfortunately, even less than one-third of organizations have individual level visibility of non-employees and third-party individuals. The identities and associated PII, project and other sensitive information are often scattered throughout the organizations.

Defining roles and functions within the third-party ecosystem is a basic requirement to mitigating risks.

Managing The Risk Of People-Centric Ecosystems

Classification of third-parties and non-employees helps in the assignment of appropriate vendor risk management policies that extend to the individual identity within the third party that is engaged for services. The Ponemon Institute study concluded that having a centralized control system and an inventory of third-parties is crucial in data risk management. The study noted that 69% of respondents said a “lack of centralized control was the key reason for not having a comprehensive inventory of third parties.”

Third-party management starts with a round-up of all parties in the ecosystem, the role they play, and their touch points within that system, including all technology interactions. A people-centric approach to third-party ecosystem risk management can be assessed by following these principles:

Inventory Of The Stakeholders In The Ecosystem

Classify your non-employees / third-parties and create an inventory. This is the core of your third-party management system and will form the basis for managing risk. Your inventory should classify each third-party individual in addition to the risk assessment exercises done during organizational due diligence.

Project Performance And Feedback Information

Each non-employee third-party individual needs to be evaluated in an efficient manner to determine if the individual is suitable for reengagement.

Mapping Of Inventory To Data And It Resource Access And Use

An inventory can be used to map IT resources to the relevant sources. Which person or identity needs to know what, and when do they need to know it?

‘Need To Know’ Access And Zero Trust Security

Once you have established access and resource requirements, you can plan out an access control policy based on a need to know basis. Identity and Access Management (IAM) is a core way to manage risk. The discipline of Zero Trust security, which is based on the principle of “never trust, always verify’, can be a useful way to manage risk. By ensuring that user privileges are correctly applied, that users are verified during access, and that robust authentication is used, risk can effectively be mitigated.

Audit and Monitor

Non-employee / third-party risk management requires ongoing monitoring and audit capabilities. With an average of over 500 vendors accessing sensitive data within a company at any given time, having a record of third-party user activity and a model for monitoring is critical.

Risk Assessment Exercises Based On Ecosystem

Managing risk is an ongoing exercise. Your non-employee/ third-party ecosystem will evolve at the macro and micro level. Each party’s risk can be assessed using validation questionnaires on a variety of ecosystem requirements, including cybersecurity posture and compliance.

Conclusion

Looking to do all of the above and more to manage non-employees / third-par-ties at your organization? Anomalix is the first and only trusted identity management solution provider in the world.

Anomalix’s patent-pending, purpose-built trusted identity management system automates both lifecycle and risk management for non-employee / third-party individuals and services.

If you’d like to learn more about how Anomalix’s world-class solutions can help your business, contact us for a demo.

Mickey Disabato

Chief information Officer at Anomalix

Prior to joining Anomalix. Mickey worked in the Publishing sector for 20 years. Mickey worked as a desktop publishing expert, Project Manager, Compliance Director and Vice President of IT Security & Compliance. Mickey led Tribune Publishing compliance efforts through acquisitions, divestitures, bankruptcy as well as taking the company private and eventually public again. Mickey led Tribune Publishing to become PCI compliant for the first time in 2015 and has reduced SOX IT control deviations to under 10 multiple years running. Mickey has also managed all Cyber Security related events. Mickey has a bachelor's Degree from DePaul University.

View Linkedin