Every entity with a classified engagement with the United States government has an insider risk management program. The efficacy of the program often lies within the cohesiveness of the various moving parts which make up the program itself. When you are slow to pay your vendor does it create discontent with your trusted vendor?
While every program will have an eye on the who, what, why, where and when of vendor interaction, how many have their eye on the financial relationship between their entity and the vendor? Does the IRM program have their finger on the pulse of the financial side of the equation? Is the vendor being paid (correctly and on time)?
The recent demise of the Silicon Valley Bank caused a good many companies to scramble to relocate their funds, which caused disruptions to accounts being paid. Updates of internal financial tools or email systems may cause invoices to disappear into the proverbial ether. How many vendors/contractors were financially stuck by the bank failure? How many have to chase their invoices to be paid?
Identifying Friction Between trusted vendors and accounts payable
The CTO of DTEX, Raj Koo opined, “An organizations’ best insider threat sensors are not cyber sensors (despite what software vendors might tell you), they are people (colleagues, HR and accounts payable too!). If a 3rd party vendor isn’t getting paid and becomes clearly disgruntled, and that same 3rd party has access to corporate IP, it’s here where mature reporting mechanisms are extremely important. When that information flows freely through HR and into the insider risk program, appropriate detection, deterrence, and mitigation actions can be proactively put in place.”
And Koo is right, people are your best sensors. Cyber sensors may tell you if the “accounts payable” are running in arrears, 30-60-90-120 days and how much. The same sensors may be tuned to align this with vendor deliverables. The sensors won’t pick up on the “feelings” that the financial shortfalls are causing.
Then we have the area where you trust your vendor to be a good employer. What happens when your vendor is slow to pay their people and their people have access to your IP. Has your vendor put your company at risk? What sensors will pick up how your vendor treats their employees/contractors who are engaged with your entity?
The most effective sensor will be the accountant or program manager who will best be able to highlight to the IRM program office whether the aging of accounts to be paid is causing friction with the vendor. While a periodic audit of your vendor’s accounts payable will quickly suss out how they treat their own employees and subcontractors.
The self-inflicted inside risk wound
Who can forget when the rocker, Tommy Lee, declared to his contractor (at gunpoint) that he wasn’t going to pay for the renovation to his Hollywood Mansion, stiffed him tens of thousands of dollars and kept the contractor’s tools? We know how that ended. The contractor broke back into the house, stole a safe and published the video tape within (Hulu memorialized the sordid affair in a series “Pam and Tommy).”
Then there are those entities who, as Lee did, decide that they simply aren’t going to pay their employees or vendors. This is called wage theft. This happens more often than one might imagine. The U.S. Department of Labor has a website for employee/contractors to file a complaint if they suspect they are a victim of wage theft.
According to the Economic Policy Institute who wrote in 2022 how “employers stole $1.8 billion from workers in the industries that employed most H-2B workers.” H-2B visa program is intended for use by employers who face seasonal labor shortages. The same institute noted in May 2020 how many H-1B employers paid migrant workers well below market wages. Then again in April 2023, reported how tech and outsourcing companies were exploiting the H-1B workers during the tumultuous restructuring within the tech sector which resulted in thousands being laid off.
When your vendors aren’t getting paid, this lays open a bag of vulnerabilities which put your entity at risk. If you don’t have visibility into this niche, get it.