To keep pace with digital transformation, many organizations are increasingly reliant on third parties (vendors, contractors, IoT devices, bots) to support critical business functions. In so doing, organizations may be unknowingly (or at least unwillingly) expanding their attack surface. Recent research from SecZetta and ESG found that 55% of respondents fail to deactivate third-party workers who no longer qualify to perform duties. Access to data and systems for this high-risk population often extends beyond project assignments or contract employment with an organization. These third-party identities can quickly transform from an enabler of operational efficiency into a security strategy Achilles heel if an organization lacks an adequate third-party identity and risk management strategy that prevents them from continued access to sensitive data and systems once that access is no longer warranted.
Implementing a good risk management strategy for third-party identities enables operational agility. To effectively support operational agility, an organization must first align risk, security, and technology to understand its risk appetite. Risk appetite, or the macro amount of risk an organization is willing to accept in pursuit of its objectives, provides security and IT leaders with a standard to base recommendations and risk tolerance adjustments on as they monitor overall risk exposure. A stronger risk tolerance allows for more risk resilience and can help organizations better prepare for high-risk situations, such as a disruptive market or other external vulnerabilities.
Here are five best practices organizations can adopt to support their operational agility by managing third-party identity risk.
1. Create an authoritative source for all third-party identity data
According to a 2018 Ponemon Institute study, a majority of organizations don’t know the exact number of third-party users they employ, and only one third of organizations keep a list of all third-parties with which they share sensitive information. While organizations tend to analyze vendor, partner, and contractor risk at a corporate level, to be effective, access management must be handled at the identity level. This allows organizations to analyze third-parties on a case-by-case basis, with the individual identity’s risk stored and recorded in a single, authoritative source. Using a specialized system designed to lower risk and manage an organization’s many relationships with third-parties enables a more secure and agile operations strategy and mitigates the change of access breaches.
2. Develop collaborative and automated processes
Key to improving the management and use of non-employees is collaboration and automation. A single department, such as HR, should not be solely responsible for managing department non-employees nor should the departmental system be the sole source of record for non-employee data. Instead, taking a holistic view of the non-employee, including the systems they access, the times they work, and most importantly, when their tenure begins or ends, provides the entire organization with valuable insights into how to best work with and assign access to individuals.
Automating these steps allows for seamless onboarding, risk rating and offboarding processes. It enables a quick, timely, and accurate process to add new third-party users or remove those that no longer require access to information. Automating these tasks also reduces the risk of human error compromising of critical company information, and in turn strengthening operational agility.
3. Regularly assess third-party access needs
Once an organization has identified non-employees with insider access and assigned an individual risk level based on their personal risk factors, third-party access should be adjusted accordingly. Freelancers, contractors, and other non-employees should be limited to only the internal information they absolutely need for their role. If they previously had overprovisioned access, it needs to be revoked immediately. If they need privileged access for a finite period, the access should be monitored and properly deactivated as soon as that time period elapses.
Reassessments should be done routinely through automated systems that require third-parties to prove their need for access through security checkpoints such as weekly email verifications. This ensures that third-party access is kept on a tight, need-to-know basis throughout their time working, enabling organizations to remain secure and reduce risk threat to strengthen overall operations.
4. Update risk ratings to reflect changes in an organization’s risk exposure
Risk-rating third-party identity at the individual level gives organizations a holistic understanding of risk exposure and directly influences overall risk tolerance. Individual risk ratings mean non-employees are provided the least amount of access necessary, are regularly monitored to guarantee access remains in-line with current responsibilities, and access is terminated in a timely manner when it is no longer required. These measures are especially critical in monitoring the inconsistent lifecycles of third-party workers, whether it be for one contracted time or over years of hiring and rehiring. These exercises are becoming increasingly essential to an organization’s comprehensive risk management strategy as risk-rating correlates to the changes in an organization’s risk tolerance, which ensures stronger operational agility.
5. Get skilled resources where you need them
To remain as flexible as possible in times of change, organizations should take advantage of external resources that strengthen resilience and help them stay competitive. One way to do this is by augmenting internal skill sets with external resources and provisioning third-party users for remote work. As we saw with the economic downturn and pandemic, vendors, contractors, and even freelancers, offer a tangible value-add to a business’s changing needs. Even outside times of crisis, organizational priorities often shift and require resources to move with them. Centralizing access to key data like skill sets, locations, and certifications makes it possible for operations to quickly adjust resources to where they are of most value.
The ability to quickly pivot business strategies and operations requires organizations be able to effectively manage the identity risk that comes along with the growing numbers of third parties and non-employees that have become an inextricable component of most workforces. In doing so, organizations will be able to facilitate aggressive business strategies while at the same time ensuring the security of their operations.