Businesses have any number of people with access to their network at any given time. They have employees, yes. But they also have vendors, partners, contractors, and others – all with varying degrees of access to corporate assets and systems. Network interconnectivity, raw materials, finished goods, and the software within our products all provide the foundations of a company’s progress. That said, each of these facets present a point of insider risk for a motivated adversary to target and compromise. We may not get to choose whether we are a target; the adversary does that for us. What we can do is educate ourselves on how even those who we see as being “on the outside,” through their third-party access can act as insiders and put businesses at a security risk.

Insiders aren’t always employees

Knowing what constitutes insider risk is half the battle when it comes to ensuring business security and resilience. Too often “insider risk” or “insider threat” is misunderstood as being limited to an organization’s workforce – their employees or contractors. But insiders can have a third-party nexus that goes beyond your typical external agency. Consider your contractor’s subcontractors. If they are performing tasks that are integral to your success, they too are insiders for the purposes of the Insider Risk Management (IRM) discussion. Many vendors provide companies with devices, appliances, knowledge, and services. And while they may not always be front of mind when considering insider risk, their capacity to become a security threat should not be overlooked.

The third-party nexus: vendors, manufacturers, and suppliers

To understand this dynamic, consider the case where the Chief Operating Officer (COO) of an IT security company pleaded guilty to launching online attacks against two hospitals (both of which were clients of the company). In this instance the COO of the service provider aided and abetted criminals in accessing personally identifiable information and protected health information at the hospitals. In the end, his actions put people’s lives at risk. He may not have appeared on the hospital’s org chart as a full-time employee or a part-time contractor, but nonetheless, the access afforded by his company to provide cybersecurity services inherently made him a trusted insider. This is the type of third-party access that must be more deeply understood and managed by those charged with managing IRM programs.

The example can easily be overlayed to that of a partner who is providing raw materials or semi-finished goods to an entity’s manufacturing floor. When this overlay includes the national security of a nation, it becomes more critical than a widget used to mow one’s lawn. For example, it has been well documented by the members of the Five Eyes (Australia, Canada, New Zealand, United Kingdom, and United States) that China has successfully managed to compromise the integrity of chips and computers that are manufactured or created in China.

Understanding the daisy chain of information flow, as well as material flow is of prime importance to any logistical endeavor.

Integrity of what’s inside 

When companies like Starbucks purchase their raw coffee beans, they trace the bean through its entire ecosystem. This includes harvest, shipping, roasting, distributing, sales, marketing and use, which they call “bean-to-cup”.  While the consumer using the Starbucks app can see their coffee’s journey, behind the scenes one can extrapolate that there is a good number of mechanisms occurring within the eternal ecosystem.

What’s inside your product may easily be understood. Consumables, such as a bag of crisps, have the ingredients provided on the label. Security processes are in place to ensure the integrity of the product. All industries leverage quality control to check the work of employees, contractors, etc., to ensure their product or output is up-to-snuff. These same steps also serve to understand the risk presented by an individual’s malevolent action, or even just a user error. We saw this most recently in the recent CrowdStrike outage, which emphasized the importance of testing. CrowdStrike highlighted to all how the incident has caused them to change the way in which the product is tested and deployed.

Similarly, software finds its way into our operational technology and information technology worlds and our ability to see what’s inside, who put what inside the code, and why is necessary.

Take a recent DTEX investigation where a junior developer used ChatGPT to generate a company’s source code. Once the results were provided to the erstwhile developer, the intent was to push the changes out to production without any security review, debugging review, or quality assurance testing. Thankfully InTERCEPT’s AI-inspection capabilities enabled visibility and the push of the code was highlighted and stopped until appropriate process/policies had taken place.

The protection of source code being exfiltrated out of a company becomes secondary if the source code itself is compromised from the beginning.

This is where transparency, frameworks, and Software Bill of Materials (SBOM) play a critical role. With so many entities within critical infrastructure dealing with the Achilles’ heel of legacy systems, it stands to reason understanding the lay of the land is a first order of business. Once one knows what is present, then tackling the updating of those systems that have already reached end-of-life and lack ongoing support should take place.

Who tackles that task will be different for every entity. If it is a third-party, such as a contractor, then steps must be taken to ensure visibility into their vulnerabilities with the same level of granularity one has into their own entity.

Insider risk management goes beyond the front door

Visibility is paramount. If one doesn’t know who is touching products or services or supporting the business, then one is blind to the potential risks these third parties present.

The U.S. Cybersecurity Infrastructure Security Agency (CISA) offers a plethora of tools for entities (regardless of nationality) to use to garner a better understanding of one’s supply chain and the risk posed by the third party. Their suggestions do include implementation of the SBOM, yet care should be taken to not assume the SBOM is the total answer.

Every insider risk practitioner must constantly assess their visibility into their areas of responsibility, be it internal or external, where the third parties reside. Enhancing one’s visibility is never a static exercise, and this is best addressed during the initial negotiations.

It is impossible to boil the ocean, and thus we bring third parties into our circle of trust to provide us with appropriate goods and services. We trust their personnel will be as trustworthy as one’s own. And while a starting position of trust is noble, the ability to trust, yet verify is necessary. One must look beyond our front door to ensure goods, services, and information doesn’t go out the back door.

Quick FAQ

What is an example of a third-party risk?

Third-party insider risks occur when vendors, contractors, or partners misuse their trusted access within an organization. These third parties often have varying levels of access to sensitive systems and data, making them potential security vulnerabilities. Although they may not be direct employees, their roles and responsibilities can impact an organization’s security posture significantly. For instance, a vendor providing IT services or a supplier delivering essential materials can unintentionally or maliciously introduce risks if their actions are not properly monitored.

Organizations must recognize the importance of managing these relationships and implementing robust Insider Risk Management (IRM) strategies to mitigate potential threats. This includes maintaining oversight and ensuring transparency in the activities of third parties, as they can affect the overall security and integrity of the business.

What is an insider risk program?

An insider risk program (also known as an insider risk management program) is a structured approach designed to identify, mitigate, and manage risks posed by individuals within an organization, such as employees, contractors, or partners. These programs focus on understanding and monitoring human behavior to proactively prevent potential threats, such as data theft, sabotage, or unintentional data leaks.

Key components include establishing governance with clear roles and responsibilities, fostering cross-functional collaboration, and leveraging data-driven insights to assess behaviors and potential risks. An effective program also emphasizes protecting employee privacy while ensuring security measures are in place to safeguard organizational assets. DTEX Systems advocates for a human-centric approach, recognizing that understanding the human element is crucial to successfully managing insider risks​.

For support in addressing the third-party insider risk or maturing your IRM program, contact DTEX.