Data breach alert: the rising threat of contractors

With the increasing number of contractors being employed by organisations, it's vital that their access rights are regularly reviewed, says Paul Trulove.

Paul Trulove
Paul Trulove

The Snowden debacle shed light on what contractors with high-level or far-reaching access rights are capable of if that access is not closely monitored. But it's not just high-profile organisations like the National Security Agency (NSA) that are at risk from insider attack by contractors. Research from PwC has revealed that contractors account for 18 percent of the most serious breaches in UK firms of varying sizes. Clearly, this problem is widespread.

According to analysis from CareerBuilder, nearly three million people are employed in temporary contract jobs today, and that number continues to rise. While these arrangements provide businesses with a competitive edge and flexibility to expand and contract their workforce as needed, there are associated IT risks. These can, if not handled properly, outweigh the benefits. Businesses must be smart about protecting against the potential risks that contractors bring into the virtual workplace. Compliance regulations increasingly expect that contractors be subject to the same IT controls and safeguards as every other employee.

A breach by a third-party can have ramifications on data security and on the overall brand. While the responsibility for a third-party contractor can be a grey area – especially if contracted through a service provider or vendor – an organisation is always responsible for managing and monitoring who has access to its systems.

That makes it imperative for organisations to pay attention to contractors, but the reality is it's no easy task. What makes this area of data security such a challenge is finding the right balance between limiting risk and opening up access to sensitive applications and data that a contractor needs to perform their job.

Unfortunately, there is no silver bullet solution to this problem, but if companies take a layered approach that includes awareness and education alongside preventive and detective controls they will be much more secure.

First and foremost, companies need to be explicit about their policies in this area and clearly define what is considered ‘illegal' use of proprietary data.

At the same time, companies need to proactively monitor and manage contractors' access privileges, with the goal of limiting access to only what is required. Identity and access management (IAM) plays a critical role in helping companies ensure that access privileges are appropriate and conform to policy, including:

  • Centralise visibility. Continuously and actively review what information contractors have access to in order to make sure it's appropriate for the work they are doing. This is achieved by implementing a system that allows for centralised visibility into contractors' access within the infrastructure.
  • Incorporate a risk-based approach. Contractors pose a higher security risk to the network because they don't have the same relationship as a long-term employee. Create an identity risk model to better understand where the hotspots are. Details such as whether this contractor is working with a competitor are critical.
  • Tie termination of access to the contract end date. Close the loop once the consultant leaves. Put an automated process in place to terminate all access just like you would to an employee. During the on-boarding process for new contractors, capture the length and nature of the contract so that access expires automatically. This is often easier said than done, because organisations rarely have a centralised process for contractors. One workaround for that is to assign an accounts payable person as an access reviewer.
  • Aggressively clean up contractor access. Upon termination of a contract, simply severing network access isn't enough. It is critical to also ensure that the organisation cleans up the access environment at the individual application and entitlement level that the contractor was given. Often an organisation will continuously reuse certain contractors who can quickly rack up the number of access points over the years. Because of this, contractor access should be certified every 90 days.

As the economy continues to get stronger and businesses benefit from contract workers, the issue of unmonitored access for third-party workers will only escalate. Organisations that implement good IAM strategies incorporating contractors as part of their overall governance strategies can protect themselves from past, present and future threats. Those that don't heed this advice put themselves and their business at incredible risk.

Contributed by Paul Trulove, VP of product management at SailPoint.