Managing Third Party Risk: People-Centric Considerations

August 20, 2020

People and data are intrinsically linked and because of cyber-risk factors such as social engineering and insider threats, people pose a key risk to an enterprise as both a collection and as individuals.

A Ponemon/Opus study found that an astonishing 59% of companies suffered a data breach that originated with a third-party, yet only 16% admit to using effective risk mitigation strategies in the first place. The study also found that, on average, per company, confidential and sensitive information is shared with a staggering 583 third-parties. Furthermore, only around one-third of organizations keep a comprehensive inventory of third-party information. Unfortunately, even less than one-third of organizations have individual level visibility of non-employees and third-party individuals. The identities and associated PII, project and other sensitive information are often scattered throughout the organizations.

Defining roles and functions within the third-party ecosystem is a basic requirement to mitigating risks.

Managing The Risk Of People-Centric Ecosystems

Classification of third-parties and non-employees helps in the assignment of appropriate vendor risk management policies that extend to the individual identity within the third party that is engaged for services. The Ponemon Institute study concluded that having a centralized control system and an inventory of third-parties is crucial in data risk management. The study noted that 69% of respondents said a “lack of centralized control was the key reason for not having a comprehensive inventory of third parties.”

Third-party management starts with a round-up of all parties in the ecosystem, the role they play, and their touch points within that system, including all technology interactions. A people-centric approach to third-party ecosystem risk management can be assessed by following these principles:

Inventory Of The Stakeholders In The Ecosystem

Classify your non-employees / third-parties and create an inventory. This is the core of your third-party management system and will form the basis for managing risk. Your inventory should classify each third-party individual in addition to the risk assessment exercises done during organizational due diligence.

Project Performance And Feedback Information

Each non-employee third-party individual needs to be evaluated in an efficient manner to determine if the individual is suitable for reengagement.

Mapping Of Inventory To Data And It Resource Access And Use

An inventory can be used to map IT resources to the relevant sources. Which person or identity needs to know what, and when do they need to know it?

‘Need To Know’ Access And Zero Trust Security

Once you have established access and resource requirements, you can plan out an access control policy based on a need to know basis. Identity and Access Management (IAM) is a core way to manage risk. The discipline of Zero Trust security, which is based on the principle of “never trust, always verify’, can be a useful way to manage risk. By ensuring that user privileges are correctly applied, that users are verified during access, and that robust authentication is used, risk can effectively be mitigated.

Audit and Monitor

Non-employee / third-party risk management requires ongoing monitoring and audit capabilities. With an average of over 500 vendors accessing sensitive data within a company at any given time, having a record of third-party user activity and a model for monitoring is critical.

Risk Assessment Exercises Based On Ecosystem

Managing risk is an ongoing exercise. Your non-employee/ third-party ecosystem will evolve at the macro and micro level. Each party’s risk can be assessed using validation questionnaires on a variety of ecosystem requirements, including cybersecurity posture and compliance.


Looking to do all of the above and more to manage non-employees / third-parties at your organization? Anomalix is the first and only trusted identity management solution provider in the world.

Anomalix’s patent-pending, purpose-built trusted identity management system automates both lifecycle and risk management for non-employee / third-party individuals and services.

If you’d like to learn more about how Anomalix’s world-class solutions can help your business, contact us for a demo.

Download this blogBack to blog

Mohammed Elkhatib

Founder and CEO

Mohammed is an Identity Management and Access Governance thought leader with over 16 years of Information Security experience and over 20 years of IT and Business experience. Mohammed has worked with over 500 Identity Management and Access Governance clients. Mohammed’s significant and numerous contributions at the most successful Identity and Access related startups have led to three successful exits in excess of $825MM.

View Linkedin