Insider Threats are often overlooked when it comes to your supply chain, but suppliers are a key source of trusted insider risks.These risks need to be identified and incorporated into procurement decisions and sourcing contracts, inclusive of contractual obligations by suppliers to conform to your requirements. This may well incur additional costs, making it important for buyers to work collaboratively with their suppliers to agree an approach that is workable for all parties. This may mean buyers need to change their processes to mitigate a risk rather than transferring the management of this risk to a supplier.
Workforce Screening is a foundational element that should be included in any supplier agreements, but its application needs to be targeted towards the buyers material risks. This article explores this challenge, provides suggestions on good practice, and discusses the role of supplier assurance in relation to Workforce Screening Programs.
We need to recognise that suppliers also pose trusted insider risks
Suppliers and Third Parties are a core part of the ecosystem for every business enterprise. By the nature of their roles and functions, many suppliers and other third parties have privileged access to their client’s (i.e. your organisation) information, systems and critical assets. Examples of trusted insider access by suppliers include:
- Service providers with remote access to critical systems or networks, such as Programmable Logic Controllers (PLCs) or Operational Technology (OT) systems
- Outsourced IT managed services
- Managed data centres
- Contract Manufacturers and Contract Research Organisations (CROs, CMOs)
- Outsourced Clinical Trials Managers
- Distribution Centres for order fulfilment
- Repackaging and relabelling services
- Recruitment, accounting, audit, consulting and law firms and insurance brokers
- Corporate catering, cleaning services
Many more services can be added to this list: clearly, the breadth and scope of functions performed by suppliers today is nearly ubiquitous – this needs to be taken into account when identifying insider risks.
Existing practices often fail to properly assess supplier-insider risks
Supplier-insider risks need to be managed with a degree of foresight given that supplier contracts are often multi-year agreements with the potential for extensions. This means that failing to incorporate the necessary provisions upfront may create a vulnerability for multiple years or even a decade.
Understanding the insider risk posed by your supplier’s workforce begins with identification of your High Risk Roles – are any of those outsourced? This information informs your Personnel Security Risk Assessment which qualifies the inherent risk and determines whether internal control coverage is adequate for your risk appetite.
The gap between inherent and residual risk where the risk actor is a member of your supplier’s workforce is what you may need to address through any Supplier Agreement using tools such as a Workforce Screening Program. This process justifies which members of your supplier’s workforce need screening and to what extent, and why based on their access to your organisation’s assets.
Suppliers should be contracted to implement your Workforce Screening program
Security and integrity is seen by many as a business enabler, but many businesses still see it as a cost and management overhead. It is not uncommon to find suppliers with either no security or integrity program, or that lack the requsite level of capability maturity required to manage complex risks that may arise in their customers’ business.
It goes without saying that buyers need to provide guidance to their suppliers on their expectations, just like any other aspect of the sourcing process. Considerations on leading practices for supplier-insider risk management include:
- Imposing contractual obligations to maintain a risk based security and integrity program that conforms to your organisations standards and policies
- Providing a copy of your current workforce screening standard and other continuous monitoring information to ensure your supplier knows exactly what they need to do to comply
- As a buyer, performing continuous monitoring (insider threat detection) of your supplier’s interactions with your endpoints, network access and critical assets (including your most valuable information) – don’t rely on anyone else to do this
- Incorporating requirements for a time-bounded escalation or notification mechanism obligating your suppliers to inform you of certain types of incidents within defined timeframes
- Ensuring appropriate supplier assurance and supplier audit / investigations clauses are included in your contracts and don’t be afraid to use them
These practices could also be incorporated into your Supplier Integrity Framework.
Workforce Screening should be incorporated into ongoing Supplier Assurance
Just because there is a contractual requirement to do something does not mean a counterparty will comply, or that they have the internal governance mechanisms to keep track of this. In some cases, counterparties start out with the best of intentions, but some years after contract signing business may get tough or management may change and contract compliance could slip as a result. Supplier assurance (vendor assurance) programs are intended to regularly monitor or reivew key aspects of a supplier’s compliance with contract.
Ensuring contract compliance with Workforce Screening and other Insider Risk obligations should form part of any supplier assurance program, however this should be supplimented with insights from period updates to your Personnel Security Risk Assessment, Register of High Risk Roles, and revisions to your Workforce Screening Program Guideline (standard) to ensure supplier practices correspond to your inherent risks and risk appetite.
- ASIS International (2022). Preemployment Background Screening and Vetting, ASIS PSBV-2022, https://www.asisonline.org/publications–resources/standards–guidelines/preemployment-background-screening-vetting/
- Curwell, P. (2022). Building your supplier integrity framework
- Curwell, P. (2022). Third parties defined – what are they exactly, and how should these risks be managed?
- Curwell, P. (2022). Understanding High Risk Roles
- Curwell, P. (2022). Designing your Workforce Screening Program
- Curwell, P. (2022). What is a Personnel Security Risk Assessment?
- Standards Australia (2022). AS4811:2022 Workforce Screening, published 4 March 2022, www.standards.org.au
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.