The human side of third-party risk management
Third-party risk management has become a big thing in IT and security circles. Everybody is talking about it and it seems like everyone is trying to do it; there’s even an acronym for it, TPRM, which is the sure sign that a thing is a “thing” in IT.
However, TPRM and other related activities like risk assessments and risk management, in general, can often seem like a dry abstract topic; full of risk weighting, applying probability percentages to likelihoods, and theoretical impacts of occurrences. It’s easy to see the discipline as just a bunch of numbers and statistics. But at the heart of third-party risk are people. And if you don’t understand the all-important human element as an underlying cause of third-party risk, you will have a harder time coming up with protections and controls to reduce third-party risk on your networks and systems.
Defining the human factor of TPRM
While there are certainly other factors involved in managing third-party risk (technical issues, vendor problems, etc.), the human factor is a big one. Let’s start with the fact that you simply don’t know as much about this set of humans (vendor reps, partners, etc.) as you do your employees. When you give your internal staff remote access, you generally know that HR has done their due diligence on them, via background checks, drug screens, reference checks, or whatever processes your company employs. You also have a work history with these folks, so you hopefully know they are trustworthy when provided with external keys to your network and systems. You wouldn’t give an admin password to a first-day internal hire, so why are you giving them to external vendors? They may have been hired yesterday or be a long term employee. They may be highly qualified for the job they do inside your network or they may be a trainee, learning on the job and on your critical systems.
Now, most vendor employees are skilled and qualified for the job. A vendor wouldn’t keep you as a customer for long if they consistently provided techs without the appropriate skills, but if their vetting processes arent as strict as your own, sometimes an incompetent or malicious individual can slip through those cracks. That is why the risk of a vendor employee on your networks is substantially higher than one of your own. You need to treat remote access for vendors differently than remote access for employees. One way this can be done is through designing robust onboarding and offboarding processes with additional checks, as well as using technical controls to ensure that your vendor’s employees stay in their lanes and don’t get themselves or you in trouble.
How to combat human error
It is human nature, that’s at the root of almost all third-party risk. First of all, laziness, one of the seven deadly sins, is a major culprit. Shared credentials is one example of this. When a company has many support reps, it can become an administrative nightmare to get them all individual credentials. And on the company side, entering all those people into an internal Active Directory can be a full-time task. Often the path of least resistance kicks in with a vendor being assigned a single company-wide credential. This is bad for so many reasons; first of all, it generates compliance risk by taking you out of compliance with most current security frameworks. But, it also greatly increases the risk of a credential compromise since it will be used by so many people and passed around on vendor email systems or bulletin boards. The only way around this is a well-designed workflow process both for onboarding and offboarding vendors. Ideally, this process would be automated and be as self-service as possible to make it efficient. The best cure for laziness is to make the proper processes easy for people. Do that and they will make it easy for you to reduce third-party risk.
They say that to err is human. And that part of human nature is another third-party risk that is hard to control. An incompetent vendor rep can do more damage in your key systems than a hacker if they know just enough to be dangerous. An overly confident database admin can corrupt or wipe out years worth of data. Overeager reps can screw up a config file and then lock themselves out, leaving local internal staff to pick up the pieces.
Even a competent rep can cause issues if they are allowed too many choices and end up rebooting or upgrading servers that were out of scope for their work. You can’t make your vendor train their employees better, but having a very granular access log, ideally with video captures or keystroke logs of vendor’s sessions can allow your King’s men to put Humpty Dumpty back together again if a vendor pushes him off the wall.
Finally, the worst parts of human nature, greed and avarice, can come into play if you have a vendor rep who decides, for whatever reason, to act maliciously on your network. He or she may be actively in the pay of a cybercriminal group or more likely, a disgruntled former employee who might want to cause trouble for their erstwhile employer by messing with their customers. Either way, these “human elements” can cause catastrophic damage if allowed to run free inside your systems with privileged credentials. There are several things you can do to stop or limit damage from this risk.
First of all, a robust and near real-time offboarding process is necessary to remove access for former vendor reps as soon as possible. If you are using shared credentials, obviously this becomes difficult or impossible. Using multi-factor authentication and obfuscated credentials, as is available in most Privileged Access Management (PAM) and Vendor Privileged Access Management (VPAM) systems can prevent them from using credentials to your systems that they took with them from a vendor. And finally, having detailed audit logs of remote access activity, especially from third parties, can allow you to catch such activity early on and greatly limit the damage that can be done by these third-party bad actors.
Understand your risks from all angles
So, as you can see, managing third-party risks has a large human element to it. It is impossible to completely eliminate the risk as long as there are humans involved in your third parties (the perfect AI support bot has not been developed yet and probably never will be). However, with the right upfront processes and procedures, backed up with strong technical controls such as PAM and VPAM can go a long way to limit your exposure to human-generated third-party risk.
Not only are humans a risk to your third-party risk management plan, but so are your tools. Whether you’re using a VPN, a vendor-supplied support tool, or a Privileged Access Management (PAM) solution to manage network vendor access, the limitations of those tools leave you vulnerable to breaches.
source securelink
Industry: Cyber Security
Latest Jobs
-
- New Business Sales lead | UK - Cyber Security | New Logo sales
- United Kingdom
- Uncapped OTE
-
New Business Sales lead | UK - Cyber Security | New Logo sales UK Remote An established EMEA technology organisation is hiring a senior New Business Sales lead to take ownership of UK growth. An opportunity built for someone ready to take advantage of competitors who have taken their eye off the ball and turn that into sustained market share. This role is for someone proven. A self-starter who does not need micromanagement, knows how to win market share, and wants the backing of a larger business while building success their own way. You will lead and shape new logo acquisition, define and execute go-to-market strategy with regional leadership, and drive growth across cybersecurity, digital transformation, Microsoft modernisation etc. This is a new business sales role, with budget and full sales lifecycle responsibility. The goal being to build a wider a sales function beneath you as revenue scales. Experience across Financial services, manufacturing, industrial etc helpful. UK-based, remote-first, client-facing when needed. Competitive base salary with uncapped earnings.
-
- Business Development | Healthcare | Warm accounts | UK
- England
- N/A
-
Business Development | Healthcare | Warm accounts | UK Healthcare Cyber Security UK Based An experienced Business Development Manager is required to drive new cyber security revenue across a warm healthcare account base. This role is focused on new business and account growth, engaging healthcare organisations to understand risk, priorities, and operational challenges, and positioning appropriate cyber security solutions and services. Key Responsibilities Drive new business sales into a warm healthcare account base Develop and close new opportunities across healthcare organisations Build senior level relationships with IT, security, and procurement stakeholders Own the full sales lifecycle from first conversation through to close Work closely with technical pre sales and delivery teams Experience Required Proven B2B new business sales experience within cyber security or technology Healthcare sector experience desirable Strong consultative sales and closing capability Ability to achieve UK Security Clearance is required UK based with flexibility to travel What’s on Offer Warm accounts with new business focus Clear revenue ownership Competitive base salary with uncapped commission
-
- Technical Pre Sales Cybersecurity Consultant. Healthcare
- England
- N/A
-
Technical Pre Sales Cybersecurity Consultant UK Remote | Healthcare Focus Overview We are seeking an experienced Technical Pre Sales Cybersecurity Consultant to support healthcare organisations by delivering advisory, solution design, and security uplift services. This role focuses on improving security outcomes, addressing operational challenges, and enabling informed technology decisions across complex and regulated environments. The position blends technical pre sales expertise with a consultative approach, working closely with clinical, technical, and commercial stakeholders to shape effective cybersecurity solutions. The individual must be able to achieve UK Security Clearance. Key Responsibilities Provide technical pre sales support across cybersecurity solutions and services for healthcare organisations Engage stakeholders to understand security challenges, risks, and operational pain points Deliver advisory guidance and recommendations to strengthen security posture and resilience Translate customer requirements into clear, outcome focused technical and commercial solution designs Act as a trusted technical advisor throughout the sales and early delivery lifecycle Produce clear technical documentation, recommendations, and customer facing materials suitable for regulated environments Collaborate closely with sales, delivery, and technical teams to align solutions with customer needs Experience and Skills Proven experience in technical pre sales or cybersecurity consultancy Experience working within healthcare or other highly regulated sectors Broad knowledge of cybersecurity technologies, managed services, and risk based approaches Strong communication skills with the ability to engage both technical and non technical stakeholders Confident operating in a client facing, consultative role UK based role with remote working Occasional travel for customer engagement as required
-
- Contract Technical Pre Sales Cyber Security Healthcare. SC clearance needed
- England
- Outside IR35
-
Contract Technical Pre Sales Cyber Security Healthcare Outside IR35 Contract | UK Remote | Healthcare Focus Existing SC clearance is required. Overview Seeking an experienced Technical Pre Sales Cybersecurity Consultant is required to deliver advisory and uplift services across complex healthcare organisations. This Outside IR35 contract operates on a consultancy basis, focused on improving security outcomes, addressing operational pain points, and supporting informed Cyber Security decisions. The role combines deep technical pre sales capability with consultative advisory delivery, working across clinical, technical, and commercial stakeholders to shape effective and proportionate cybersecurity solutions. Responsibilities Provide technical pre sales consultancy across cybersecurity solutions and services within healthcare environments Engage senior stakeholders to understand security challenges, risks, and operational pain points Deliver advisory guidance and uplift recommendations to improve security posture, resilience, and maturity Translate healthcare requirements into clear, outcome focused technical and commercial propositions Act as a trusted technical advisor throughout the pre sales and early engagement lifecycle Produce concise technical documentation, recommendations, and advisory outputs suitable for regulated healthcare settings Experience Strong background in technical pre sales or cybersecurity consultancy Experience working with healthcare or other highly regulated environments Broad understanding of cybersecurity technologies, managed services, and risk based security approaches Ability to communicate complex technical concepts to both technical and non technical audiences Comfortable operating independently in a client facing advisory role