- Outsourcing has become an economic imperative but with increased dependence comes elevated vulnerability, leaving organizations exposed to a variety of third-party insider risks.
- Business leaders actually lack confidence in their third party risk management programmes, often approaching third-party risks in a siloed and partial manner without taking insider risk into account.
- Applying enhanced due diligence to those third parties that will gain access to your organization’s crown jewels is a key mitigation measure.
Quite often, companies are publicly embarrassed, face legal scrutiny and reputational damages when one of their third parties engages in unethical or criminal behavior. In April this year, five subsidiaries of Dutch conglomerate SHV settled for 41.6 million Euro to avoid further prosecution by the Dutch justice department. This case involved widespread corruption, bribery, fraud and violations of international sanctions, partly through third parties, at several of SHV’s subsidiaries. Now consider this for a moment: what if a third party has privileged access to a company’s crown jewels? Access to the very assets that typically make up an organization’s foremost sources of competitive advantage and profit. And what if there is reasonable doubt about that third party and its motives?
The KPN-Huawei case is an interesting example. From what is now publicly known about the recent controversy surrounding Dutch telecommunications and IT provider KPN and its Chinese third-party business partner Huawei, the latter had unobstructed and unauthorized access to the critical infrastructure and data of KPN’s mobile network. Given Huawei’s ties to the Chinese state and alleged involvement in espionage, this raised clear concerns including in the public. According to a 2010 confidential Capgemini report commissioned by KPN, Huawei’s privileged access rights enabled the Chinese tech giant to eavesdrop on any call made over the KPN network. This included calls made by Dutch ministers, the prime minister and Chinese dissidents living in the Netherlands. In-house Huawei employees at KPN’s premises and Huawei staff in China also had access to Dutch cell phone numbers that were monitored by Dutch law enforcement and intelligence agencies. So did Huawei actually abuse its privileged access rights? That remains unclear as KPN apparently failed to effectively monitor Huawei and its activities. Capgemini concluded that the very survival of KPN Mobile was threatened if the public learned about the report’s findings.
Third party accesses inside your organization
Why would a third party need far-reaching access rights to an organization’s inner sanctum? The answer requires some context about business process outsourcing. Outsourcing has become an economic imperative due to globalization’s economic and technological forces and by trends such as geopolitical rivalry and the COVID-19 pandemic. As a result, organizations outsource increasingly more sensitive and critical processes to third-party service providers. It makes economic sense to do so: organizations typically improve business focus, gain competitive advantages over competitors, augment technological capabilities, achieve cost efficiencies and devote resources to core business goals more effectively.
With increased dependence comes elevated vulnerability, leaving organizations exposed to a variety of third-party risks. Third-party insider risks like, for example, widespread fraud or intellectual property-infringement can impact an organization’s licence and ability to operate. More mature businesses and multinational corporations usually have dedicated third-party risk management (TPRM) programs in place to mitigate such risks in their supply chains. Yet, as recent surveys by KPMG, PwC, Gartner, Prevalent and others demonstrate, business leaders actually lack confidence in their TPRM programs, often approaching third-party risks in a siloed and partial manner without taking insider risk into account.
Third-party risks are typically characterized as external threats to organizations. It is clear that this is no longer an accurate portrayal. Those third parties with far-reaching privileged access rights are not just posing an outside threat but they have become a potential insider risk to your organization. Even without the physical presence of a human third party insider, your organization could still be vulnerable. Technologies, software or equipment delivered or serviced by a third-party supplier may pose a risk to your organization’s critical infrastructure, data and resources. Dutch Customs, for example, operate scanners supplied by the Chinese third party Nuctech to scan cargo at Dutch airports, seaports and distribution centers. The Chinese vendor also supplies the services, systems and software to support the equipment. Nuctech, however, is predominantly state-owned, its parent company Tsinghua Tongfang, like Huawei, is blacklisted in the US. Several countries like the US, Canada and Lithuania have now banned Nuctech’s scanners as experts recognize that the scanners could be abused for espionage or sabotage purposes by the Chinese state.
Quick checklist for your organization
Third party insider risk receives only scant attention in both research and practice which leaves organizations very vulnerable. While this checklist is not a substitute for a comprehensive risk assessment, it does allow you to get a quick grasp of how vulnerable or resilient your organization is. The table below illustrates the risk-conducive organizational aspects, their context and some suggestions for exploratory questions.
|The Extended Organization||Globalization & growing competitiveness stimulates broader supply chains & integration with external environments / 3rd parties, causing greater interdependence & increased exposure to 3rd parties.|
|Blurred Organizational Boundaries||Techno-economic interdependence between organizations & their 3rd parties blurs physical & digital organizational boundaries.|
|Business Relationship Complexity||Business relationships with 3rd parties are increasingly complex. |
Relational complexity with strong human or digital dimensions, e.g., 3rd HR, IT & cloud providers, calls for stronger attention.
|Interorganizational Trust||Trust equals readiness to accept risks associated with inherent vulnerability of relying on the benevolence of 3rd parties.|
Trust is non-static, fluid & prone to relational misalignment & stress.
|Proliferation of Privileged Access Rights||Digital & physical privileged access rights are key to protect critical resources but are often unnecessarily strong, prone to misuse & tend to proliferate to other users & systems. |
Divergent business-driven & security-driven perceptions over breadth & scope of 3rd party access rights are a continuous source of friction.
|Low Organizational Risk Awareness of third party insider risk||Business-driven outsourcing rationales, ineffective risk communication between business and security professionals, inappropriate risk rationalization, not-in-my-organization bias, absence of sufficient & widely supported security culture, lack of insider risk management, suboptimal TPRM programs|
Enhanced due diligence as a key countermeasure
Do you feel confident that your organizational vulnerability and resilience are at acceptable levels? If not, why not and what to do about it in practical terms? Due diligence is an essential investigative approach that became synonymous with mergers & acquisitions and the financial world. It is a structured process of investigating, auditing or reviewing the facts of a matter under consideration. Various types of data and information sources are utilized and the process has increasing levels of scrutiny. Applying enhanced due diligence (EDD) to your third parties enables you to identify and anticipate the probability of future insider risks manifesting in your third-party ecosystem. The objective of enhanced due diligence is to gather vital information that sheds light on potential and actual red flags for your organization. Because due diligence enables the timely detection of hidden risks, it is one of the essential countermeasures against potential insider risks.
EDD is the highest level of screening for high-risk third parties in order to acquire an in-depth assessment of the risks they pose. It allows you to dig deeper into the inner workings of a third party and its relevant associated entities, management, staff and circumstances. EDD is designed for information-gathering beyond the public record, particularly when risks are considered substantial and critical information could not be yielded from a less rigorous look at a third party. As outsourcing is here to stay and likely increases in scope and complexity, EDD serves as an indispensable, forward-looking instrument that enables informed decision-making based on high-value information. Douglas Hubbard points out that most organizations use low-value information which impairs their decision-making effectiveness. Building a response mechanism that enables timely and proportionate action after EDD is also key, as Kroll, a global risk advisory firm, emphasizes in their Global Fraud and Risk Report 2019/20.
Ultimately, EDD is about making a good business decision. It is about identifying the probability of a risk occurring in the future. Should your organization be more or less concerned about a particular third party in the future? The ability to answer that question through EDD is a source of competitive advantage over those organizations that are less able to make sound business decisions about their future trusted business partners. As such, EDD contributes to an organization’s overall competitive advantage. It is important to note that organizational resilience against third party insider risk cannot be accomplished exclusively through EDD. Recurrent EDD has to be an integral part of holistic and integrated insider risk programmes that provide internal mechanisms once a third-party outsider has actually become an insider.
Of course it is impracticable to apply EDD to all your third parties. Apply it to those that currently have or will receive privileged access rights to your organization’s critical resources. In practical terms, the following steps are highly recommended:
- Use the checklist to identify and mitigate risk-conducive aspects of your organization
- Select current and future third parties of concern with access to your critical resources and crown jewels
- Leverage EDD to assess selected high risk third parties, identify the presence or probability of third party insider risk and make good business decisions based on high-value information.
Finally, as Shane Sims, a former special agent at the US Federal Bureau of Investigation, points out: organizations must treat their critical resources and data as government agencies treat classified information. Therefore, third parties and their relevant employees must be subjected to EDD prior to receiving privileged access rights to an organization’s inner sanctum and its periphery, period.