Enhanced due diligence as a key countermeasure against third party insider risk

Photo by Cytonn Photography on Unsplash

Signpost Six guest blog by Patrick van der Heiden

Highlights

  • Outsourcing has become an economic imperative but with increased dependence comes elevated vulnerability, leaving organizations exposed to a variety of third-party insider risks.
  • Business leaders actually lack confidence in their third-party risk management programmes, often approaching third-party risks in a siloed and partial manner without taking insider risk into account. 
  • Applying enhanced due diligence to those third parties that will gain access to your organization’s crown jewels is a key mitigation measure.

Quite often, companies are publicly embarrassed, face legal scrutiny and reputational damages when one of their third parties engages in unethical or criminal behaviour. In April this year, five subsidiaries of Dutch conglomerate SHV settled for 41.6 million euros to avoid further prosecution by the Dutch justice department. This case involved widespread corruption, bribery, fraud and violations of international sanctions, partly through third parties, at several of SHV’s subsidiaries. Now consider this for a moment: what if a third party has privileged access to a company’s crown jewels? Access to the very assets that typically make up an organization’s foremost sources of competitive advantage and profit. And what if there is reasonable doubt about that third party and its motives? 

The KPN-Huawei case is an interesting example. From what is now publicly known about the recent controversy surrounding Dutch telecommunications and IT provider KPN and its Chinese third-party business partner Huawei, the latter had unobstructed and unauthorized access to the critical infrastructure and data of KPN’s mobile network. Given Huawei’s ties to the Chinese state and alleged involvement in espionage, this raised clear concerns including in the public. According to a 2010 confidential Capgemini report commissioned by KPN, Huawei’s privileged access rights enabled the Chinese tech giant to eavesdrop on any call made over the KPN network. This included calls made by Dutch ministers, the prime minister and Chinese dissidents living in the Netherlands. In-house Huawei employees at KPN’s premises and Huawei staff in China also had access to Dutch cell phone numbers that were monitored by Dutch law enforcement and intelligence agencies. So did Huawei actually abuse its privileged access rights? That remains unclear as KPN apparently failed to effectively monitor Huawei and its activities. Capgemini concluded that the very survival of KPN Mobile was threatened if the public learned about the report’s findings. 

Third-party accesses inside your organization

Why would a third party need far-reaching access rights to an organization’s inner sanctum? The answer requires some context about business process outsourcing. Outsourcing has become an economic imperative due to globalization’s economic and technological forces and by trends such as geopolitical rivalry and the COVID-19 pandemic. As a result, organizations outsource increasingly more sensitive and critical processes to third-party service providers. It makes economic sense to do so: organizations typically improve business focus, gain competitive advantages over competitors, augment technological capabilities, achieve cost efficiencies and devote resources to core business goals more effectively. 

With increased dependence comes elevated vulnerability, leaving organizations exposed to a variety of third-party risks. Third-party insider risks like, for example, widespread fraud or intellectual property infringement can impact an organization’s licence and ability to operate. More mature businesses and multinational corporations usually have dedicated third-party risk management (TPRM) programs in place to mitigate such risks in their supply chains. Yet, as recent surveys by KPMG, PwC, Gartner, Prevalent and others demonstrate, business leaders actually lack confidence in their TPRM programs, often approaching third-party risks in a siloed and partial manner without taking insider risk into account.

Third-party risks are typically characterized as external threats to organizations. It is clear that this is no longer an accurate portrayal. Those third parties with far-reaching privileged access rights are not just posing an outside threat but they have become a potential insider risk to your organization. Even without the physical presence of a human third party insider, your organization could still be vulnerable. Technologies, software or equipment delivered or serviced by a third-party supplier may pose a risk to your organization’s critical infrastructure, data and resources. Dutch Customs, for example, operate scanners supplied by the Chinese third-party Nuctech to scan cargo at Dutch airports, seaports and distribution centres. The Chinese vendor also supplies the services, systems and software to support the equipment. Nuctech, however, is predominantly state-owned, its parent company Tsinghua Tongfang, like Huawei, is blacklisted in the US. Several countries like the US, Canada and Lithuania have now banned Nuctech’s scanners as experts recognize that the scanners could be abused for espionage or sabotage purposes by the Chinese state.

Quick checklist for your organization

Third-party insider risk receives only scant attention in both research and practice which leaves organizations very vulnerable. While this checklist is not a substitute for a comprehensive risk assessment, it does allow you to get a quick grasp of how vulnerable or resilient your organization is. The table below illustrates the risk-conducive organizational aspects, their context and some suggestions for exploratory questions. 

Risk-conducive aspects Context Questions
The extended organization Globalization & growing competitiveness stimulates broader supply chains & integration with external environments / 3rd parties, causing greater interdependence & increased exposure to 3rd parties.
  • How do we relate to our supply chains?
  • How deep is the level of integration with our external environment?
  • To what extent are we dependent on our 3rd parties?
Blurred organizational boundaries Techno-economic interdependence between organizations & their 3rd parties blurs physical & digital organizational boundaries.
  • How easy or hard is it to distinguish our 3rd parties from our organization?
  • Which critical business functions did we outsource?
  • To what extent are our 3rd parties physically and/or digitally integrated?
Business relationship complexity Business relationships with 3rd parties are increasingly complex. 

Relational complexity with strong human or digital dimensions, e.g., 3rd HR, IT & cloud providers, calls for stronger attention.

  • Are our relationships with 3rd parties easy & straightforward or more complex in nature?
  • Are we currently able to effectively manage business relationship complexity?
  • If need be, how hard is it to disentangle ourselves from a given 3rd party?
Interorganizational trust Trust equals readiness to accept risks associated with the inherent vulnerability of relying on the benevolence of 3rd parties.

Trust is non-static, fluid & prone to relational misalignment & stress.

  • On which objective & verifiable evidence is trust in our 3rd parties justified?
  • Do we experience relational misalignment & stress with our 3rd parties?
  • Do we currently have concerns about some of our 3rd parties? If so, then why?
The proliferation of privileged access rights Digital & physical privileged access rights are key to protect critical resources but are often unnecessarily strong, prone to misuse & tend to proliferate to other users & systems. 

Divergent business-driven & security-driven perceptions over the breadth and scope of 3rd party access rights are a continuous source of friction.

  • What mechanisms do we have in place to determine appropriate access rights?
  • Do we continuously monitor the use of 3rd party privileged access rights? And how?
  • Which 3rd parties have the highest level of access? And to which critical resources?
  • Do we experience divergent views/friction in our organization about access rights for 3rd parties? If so, how do we reconcile that?
Low organizational risk awareness of third-party insider risk Business-driven outsourcing rationales, ineffective risk communication between business and security professionals, inappropriate risk rationalization, not-in-my-organization bias, absence of sufficient & widely supported security culture, lack of insider risk management, suboptimal TPRM programs
  • Are our business units and risk/security functions aligned on enterprise-wide risk?
  • Do we communicate risk effectively throughout the organization?
  • Do we have a sufficiently ingrained security culture? 
  • Do we have risk biases? And why?
  • Do we have insider risk management in place? If not, then why? Does it include third party insider risk management?
  • To what extent are we aware of the risks our 3rd parties may pose to our organization?

Enhanced due diligence as a key countermeasure

Do you feel confident that your organizational vulnerability and resilience are at acceptable levels? If not, why not and what to do about it in practical terms? Due diligence is an essential investigative approach that became synonymous with mergers & acquisitions and the financial world. It is a structured process of investigating, auditing or reviewing the facts of a matter under consideration. Various types of data and information sources are utilized and the process has increasing levels of scrutiny. Applying enhanced due diligence (EDD) to your third parties enables you to identify and anticipate the probability of future insider risks manifesting in your third-party ecosystem. The objective of enhanced due diligence is to gather vital information that sheds light on potential and actual red flags for your organization. Because due diligence enables the timely detection of hidden risks, it is one of the essential countermeasures against potential insider risks. 

EDD is the highest level of screening for high-risk third parties in order to acquire an in-depth assessment of the risks they pose. It allows you to dig deeper into the inner workings of a third party and its relevant associated entities, management, staff and circumstances. EDD is designed for information-gathering beyond the public record, particularly when risks are considered substantial and critical information could not be yielded from a less rigorous look at a third party. As outsourcing is here to stay and likely increases in scope and complexity, EDD serves as an indispensable, forward-looking instrument that enables informed decision-making based on high-value information. Douglas Hubbard points out that most organizations use low-value information which impairs their decision-making effectiveness. Building a response mechanism that enables timely and proportionate action after EDD is also key, as Kroll, a global risk advisory firm, emphasizes in their Global Fraud and Risk Report 2019/20.

Ultimately, EDD is about making a good business decision. It is about identifying the probability of a risk occurring in the future. Should your organization be more or less concerned about a particular third party in the future? The ability to answer that question through EDD is a source of competitive advantage over those organizations that are less able to make sound business decisions about their future trusted business partners. As such, EDD contributes to an organization’s overall competitive advantage. It is important to note that organizational resilience against third party insider risk cannot be accomplished exclusively through EDD. Recurrent EDD has to be an integral part of holistic and integrated insider risk programmes that provide internal mechanisms once a third-party outsider has actually become an insider. 

Of course, it is impracticable to apply EDD to all your third parties. Apply it to those that currently have or will receive privileged access rights to your organization’s critical resources. In practical terms, the following steps are highly recommended:

  • Use the checklist to identify and mitigate risk-conducive aspects of your organization
  • Select current and future third parties of concern with access to your critical resources and crown jewels
  • Leverage EDD to assess selected high-risk third parties, identify the presence or probability of third party insider risk and make good business decisions based on high-value information.

Finally, as Shane Sims, a former special agent at the US Federal Bureau of Investigation,  points out: organizations must treat their critical resources and data as government agencies treat classified information. Therefore,  third parties and their relevant employees must be subjected to EDD prior to receiving privileged access rights to an organization’s inner sanctum and its periphery, period. 

About the author:

Patrick van der Heiden is a senior business strategy and international relations professional. He has derived his extensive global experience from various governmental policy advisor roles and research positions and as an entrepreneur in a wide variety of international crises and fast-paced business environments. Patrick is also a certified insider risk programme manager. His MBA research focused on how EDD could serve as a proactive risk-based investigative method and assist organizations in identifying and anticipating hybrid third-party insider risk before critical organisational resources are compromised. Patrick holds an MBA from Warwick Business School. His research is available upon request. 

Related Blogs