As an ISACA and ISC2 certified Cyber Security specialist, I am often asked by customers for advice on how to properly manage risks. After working for many IT service providers over the years, and becoming an expert in many technologies both security and non-security related, my answer is likely different from what other risk advisers may give.
True Examples of Third-Party Risk
In my almost 30 year career I have seen many disturbing behaviours from third-party providers while working inside some of the largest IT Consulting companies in Canada:
Outsourced Backups performed but never tested leaving the client exposed when the recovery fails
Services being stolen from smaller subcontractors to improve the bottom line of the larger company.
Data center bills not being paid causing lockouts for other customers
Contract forgery or contracts that don't protect clients of third-parties
Lack of training for employees leading to the Google Search delivery approach
No raises for long-term employees causing employee complacency
Forced overtime without pay for internal staff, contractors or subcontractors
Over-billing of customers
Log monitoring turned off or non-existent in cloud provider environment for performance reasons unbeknownst to clients
One stop shop IT providers without individuals holding reputable certifications in the area they claim to have expertise
Failure to check employee backgrounds on a recurring basis (not just at initial hire) exposing clients to individuals with criminal records
Shared credentials being used with full administrative access to clients systems
Some of these may seem surreal but this is only a small list of the risks that actually exist when dealing with larger IT Providers. Now, you might be under the impression that the organizations you work with have strong ethics, and maybe they even claim to have a whistleblower policy. One thing I can guarantee from experience is that the larger a company gets, the harder it is to ensure governance and related processes are being followed. Head office rarely has a complete picture of what the various business units are doing!
What does it mean?
What it means is that you must be extra diligent and add processes like checking Glassdoor and other online sources to see what a companies employees are saying. If multiple employees are talking about a lack of ethics and employees are overworked without being paid for their overtime, this may be a sign that the company's philosophy is misaligned when compared to those which your organization employs. In my opinion, it is better not to see any reviews at all from employees (former or otherwise) than to see reviews from people indicating that a company has ethical issues.
So what else can we do?
Here is a list of tips that can be incorporated into your third-party risk processes to help with selecting third-party partners for your business:
Follow an industry standard Third-Party risk process such as outlined by ISACA or another reputable organization such as the processes defined by SABSA.
Don't just believe fancy advertisements.
Make sure the company you deal with provides criminal background check evidence for its employees or contractors. Even 20+ year employees can have charges you are unaware of which may impact your business.
Just because a company says they have experienced staff, it does not mean that you are getting access to them or that you shouldn't validate their certifications. Many companies today advertise risk management services or security services and are merely using risk assessments as a way to sell more hardware/services.
Risk and compliance related threats should always be assessed by an organization other than your primary IT provider as it is not in their best interest to give you the clear and honest answer if they are doing something questionable.
The bottom line is that there no magic bullet, and as companies grow their overhead increases. Once this happens, employee certification efforts and continued education for long term employees lapses; as the focus becomes covering the overhead instead of doing good work. If those same companies work their employees to the bone and sell them as experts to your company, this can introduce significant risk.
Happy Employees = Better workers
Validating that IT providers' employees are encouraged to improve their skills by achieving certifications will demonstrate that you are working with a company that cares about your organization and that they are attempting to ensure there is exceptional value added to their service delivery. If your IT provider combines this continued educational investment with an approach where they do not overload their employees, it will also go a long way to making employees happy which is good for your organization as well.
Validate, Validate, and Validate before choosing a supplier
Additional validations that you may consider adding to your third-party risk process are:
Perform an Internet search for class action lawsuits against the company.
Check indeed, Glassdoor and other sites that allow employees to comment. Look specifically for ethical or other comments from past employees or contractors.
Search for the worst companies to work for in google. If you check reports for the last 3 to 4 years back, there is a good chance that some of the companies have been listed more than once over the years.
If you find that companies appear in multiple search results with bad reviews or appear in the results from the searches performed in the three bullets above, then you should question whether they are organizations you would like to entrust with your environment.