Organizations are constantly on the lookout for new ways to stay one step ahead of the competition by increasing their speed of innovation and improving overall customer satisfaction. Often that means they will enlist third parties to both augment their services and capabilities in an effort to gain a competitive advantage and improve profitability as well as gain skill sets. When third parties are used wisely and strategically by an organization, their work can lead to decreased costs and a reputational boost.
Vetting vendors and provisioning access
The process of finding the right partners and vendors is complex, as it requires ensuring a culture, skill, and security fit. After conducting an exhaustive search and selecting the “right” company, many organizations think the hard work of vetting is done. In actuality, it has just begun. Organizations may partner with each other, but it is the individual employees who work for vendors and partners who will become “non-employees” and need access to the data, facilities, and systems alongside the organization’s full-time employees. Given the level of competition, organizations are eager to accelerate time to value for these non-employees and feel pressured to quickly onboard them in an effort to meet business needs. Unfortunately, that pressure can lead to IT teams, who often lack sufficient data to make well-informed decisions, providing more access than needed to fulfill the responsibilities of each individual non-employee role. In these instances, access may be duplicated from another user from the partner or vendor company without regard for the unique needs of each role. It is critical when providing access to these third parties for organizations to first understand to whom they are providing access, the least level of access needed to fulfill the needs of the role, and how that individual non-employee and the access they have been granted relates to the organization’s risk appetite. Ultimately, the external people who are given insider and sometimes privileged access to sensitive company information, whether it be trade secrets or employee data, are of greater risk for the organizations than its own full-time employees. Organizations need to decide if they are comfortable with the tradeoff of an additional security risk for the service the third-party can provide.
It’s important to emphasize that third parties often need and are given access to highly- sensitive, confidential information, ranging from customer and financial data to product information, depending on the task they were hired to complete. In many instances, they are entrusted with access levels that supersede those of most of the organization’s own employees. This privileged access needs to be treated as such, because it comes with significant risks. According to a Ponemon Institute study, more than half of all data breaches can be traced to third parties. This can have a long-term impact on an organization, including its brand reputation, financial viability, and ability to effectively compete in the market. In one example, reported by HealthITSecurity, the sensitive information of 2.65 million patients was accessed by a hacker through a third-party vendor. Such a breach will minimally cause financial distress and potentially even cause a negative impact to patient care.
However, even organizations that take into consideration the individual risk posed by vendor employees rarely conduct regular access reviews. By ending the security and access management conversation at the beginning of the relationship, the organization opens itself up to increased and unmeasured risk. To more effectively manage third-party risk, organizations need to regularly assess that each third-party user has the least level of access that is absolutely required to do his/her job over the entire lifecycle of the third-party identity. Organizations must also conduct regular audits to revalidate access. While it may be expedient to duplicate the level of access or assume the level of access needed is the same as it once was, it is imperative that access is determined based on individual necessity in a given moment. Although your organization may believe a particular vendor organization is generally low-risk, that benefit should not be extended to every individual at the vendor organization, as risk can vary greatly from individual to individual and role to role.
The hidden costs associated with third-parties
Beyond the additional risk presented by third-parties, there are also significant hidden expenses. Contractors, vendors, and non-employees are not the same as employees and can’t be treated as such when it comes to identity risk and lifecycle management. One of the most commonly overlooked and costly areas for third parties is the highly-manual, error-prone, and costly efforts often needed for onboarding, auditing, and offboarding third-parties. These costs beyond billable hours, such as employee time and recordkeeping, are important to consider. To get a better understanding of the total cost of using third-parties, each organization needs to quantify the time their internal teams spend on these processes. When the process is left unchecked and managed incorrectly, this effort can become costly, time-consuming, and high-risk.
Some organizations try to offset these manual processes by using HR systems for third-party identity data. However, these systems are not designed to capture the nonlinear lifecycles of third-party users and can expose the organization to potential misclassification employee lawsuits. In the past year, major companies like Lyft and Google have grappled with backlash from their classification of some third-party contractors. As such, ensuring that third-parties are treated and categorized as contractors at all facets of operation is more vital than ever. Operationally, organizations need a system purpose-built to be able to collaboratively collect and maintain non-employee data from both internal and external sources, including the third-party user themselves. To be effective, these systems must support continuous and collaborative data collection between those internal and external sources over the lifecycle of the employee. Simply put, the traditional approaches to mismanaging third-party identities with non-purpose-built solutions, like IAM products or HR systems, is not only inadequate, but very expensive, and high risk. Unfortunately, using these systems to manage third-party identities actually further complicates the problem. Through a centralized and authoritative system, organizations can quickly and securely manage onboarding and offboarding and facilitate compliance-related audits, all while saving the organization time and preventing unnecessary risk.
The economic impact of Covid-19 will be felt for the foreseeable future. As seen in other economic downturns, organizations will be more likely to look to third parties to cost-effectively augment their workforce and provide the best-in-class skills needed to help them scale and grow more quickly than its competitors. Without outsourcing such options for low-cost but valuable expertise, companies face rising employee costs, or risk missing out on important knowledge for future growth. The benefits of such third-parties at this time are undeniably integral to many organizations’ growth, but if addressed incorrectly, can cause more harm than good. To be successful, organizations must be aware of the hidden costs and time investment needed for managing third-party identity risk, and plan accordingly.
Dave Pignolet, co-founder and CEO, SecZetta