How IT organisations can reduce risks with contractors

The surge in use of freelancers, contract workers, and other contingent parties in today’s environment — as high as 3 million Americans today, a number that is expected to rise over the next few years — has created a gig economy, and along with it, significant challenges for organisations as it relates to managing identities and their access.

These temporary and seasonal workers require access to applications and data to do their jobs, but often fall outside typical human resources (HR) processes of on-boarding and off-boarding. This can create silos of users outside of an organisation’s central repositories and provisioning and de-provisioning processes, creating a significant risk that access credentials go unaddressed, unmanaged and uncontrolled well after a project or engagement is over.

Large organisations, who are often the most reliant on temporary workers, do not have the bandwidth or resources to conduct due diligence on each contractor individually before they are on-boarded. Many simply rely on the contracting firms to have conducted appropriate background checks on the men and women they employ, while the one-off contractors slip completely through the cracks. Whether maliciously or not, many of these temporary workers bring with them considerable risk to your organisation based on the level of access granted to sensitive applications and data.

The potential threats against sensitive data stored in applications or files posed by contractors is immense. The notorious Edward Snowden/NSA incident sheds light on government contractors with high-level security access and just how much damage they can do if they so choose. Beyond the NSA, risks of insider attacks from contractors abound, as evidenced by recent high-profile data breaches including Target, AT&T and eBay to name a few recent examples. Recently, the Korean Credit Bureau (KCB) disclosed that a temporary contractor who had access to its systems was able to steal customer data including names, social security numbers, credit card numbers and expiration dates, all of which are highly valuable on the black market.

What are the risks?

The risk of inappropriate access comes in two primary forms: first an outside user now has potential access to your organisation’s sensitive data and systems — access that could be used to steal information or, as a result of lack of familiarity with systems and procedures, cause an unintentional breach. The second risk comes when outside users bring their own hardware and software, oftentimes used in other networks, which could potentially introduce malware or other threats to your data.

A Ponemon study from April 2016 found that C-level executives are not engaged in their organisations' third-party risk management processes and that a lack of formal programs in managing that risk is endangering the security and compliance of enterprises today. While seven in 10 respondents believe third-party risks at their organisations are staying the same, only 29 per cent have a formal third-party risk management program and just 21 per cent believed their company’s effectiveness in mitigating or curtailing third-party risk is highly effective.

The gig economy is here to stay and the line between contractors and full-time employees will continue to blur as companies look to stay competitive and nimble by hiring niche specialists for short and long-term projects. With this reality in mind here are four key steps to mitigate risks and minimise breaches through temporary workers, by taking a governance-based approach to managing identities and their access.

Centralise visibility

Implementing a system, such as an identity and access management system or program, that allows for IT and business managers to see all the access a contractor has helps to ensure contractors have only the access they need and nothing more. In order to eliminate silos of visibility, consider using the same system you leverage for your full-time employees.

Execute a risk-based approach

Since contractors pose a higher security risk to the organisation because they don’t have the same relationship as a long-term employee, creating an identity risk model that highlights contractor access helps organisations to better understand where the hotspots are and apply stronger controls. The risk model can even include attributes such as whether a particular contractor is working with a competitor, where a higher level of scrutiny is required to protect your data from getting into the wrong hands.

Automate on- and off-boarding

When a contractor starts with the organisation, their access to the appropriate systems should be provisioned automatically based on their job role or specific project. Often, there is a specific end date associated with a contractor’s engagement, so implementing an expiration date for their access as part of the original provisioning action can be an effective way to mitigate the tendency for contract access rights to remain active after their contract has ended. Once a contractor leaves, turning off network access is not enough. Focus on the entitlements and application-level access versus just the network, protecting the organisation in case the contractor returns on a future project

Review access on a regular basis

Entitlement creep is a dangerous thing. If a contractor’s term is extended or their role with the organisation changes, it is important to reconcile their access with the changes. Reviewing and certifying their access on a regular basis ensures that the organisation is protected against inappropriate access to sensitive data.

Organisations with the most thorough due diligence procedures during on-boarding and effective repositories for maintaining a centralised view of their contractors still face risks from temporary workers. Increasing visibility to what these workers have access to while employed temporarily is a key to managing risk. Taking an identity focused approach to security, rather than systems or network-based can further protect your organisation from outside threats. It allows organisations to continuously monitor access-related activities, including granting of new access, changes to existing access, as well as specific activities performed with the most sensitive access in the enterprise. When combined with risk-based controls, allows those responsible for overseeing contractors throughout their relationship with the organisation to focus on those individuals who pose a significant threat if their accounts were compromised or if they decided to act maliciously.

As today’s workforce becomes even more transactional and temporary, it has become more important than ever to be able to answer ‘who has access to what’ in your organisation – both from a risk and compliance management perspective. Focusing on and proactively managing contractors’ access, gives your organisation the best chance to track individuals as they move in and out of the company.

Paul Trulove, vice president, product management, SailPoint

Image Credit: Shutterstock/Jirsak