The inherent security risks of temporary staff

The inherent security risks of temporary staff
The inherent security risks of temporary staff

As the economy recovers, businesses are cautiously hiring again,  with a significant proportion of these recruits being employed on a temporary or casual basis. A survey by the Chartered Institute of Personnel and Development (CIPD) last year found that 29 percent of recruitment is likely to be on this basis in the foreseeable future.

There may be several sound financial and management reasons for this trend, but from a corporate security point of view, it is creating significant new dangers for businesses.  The rapid turnover of temporary staff and the lack of background checks and controls compared with permanent recruitment means that the surge in temporary employment is creating its own 'Trojan horse' when it comes to data security risks.

Employee theft of intellectual property and confidential data is a common and known problem. However, another form of fraud taking advantage of the spike in temporary recruitment - 'Executive impersonation' is also on the rise. This organised crime occurs when fraudsters 'embed' a member of their team as a temporary employee to assess the systems, practices and key individuals in an organisation before using that information to persuade key junior employees to make 'off the books' payments by pretending to be a senior member of staff.

There are a number of measures that businesses can take to eliminate, or at least mitigate, these risks. When it comes to employment practices, the backgrounds of temporary workers need to be scrutinised every bit as much as their permanent colleagues before they are engaged.

What you need to know

However, once employed, they should be treated with more caution. Temporary workers' access to company computer assets should be restricted to the minimum level necessary for them to perform their role, and their use of personal devices on company networks prohibited where possible. Similarly, physical access to sensitive parts of the business should be restricted and the role of temporary workers should not be too wide-ranging so to reduce the opportunities for fraudulent temporary staff to develop a comprehensive overview of how the business operates.

'Embedded' members of criminal gangs will often also use 'social engineering' techniques, building relationships with key employees to learn about the business and also - in the case of CEO impersonation frauds - to identify who is most likely to be susceptible to a fake approaches (often in the shape of an authentic-looking email).

Executive impersonation fraud is driven by financial gain.  So staff need to be made aware of these patterns of behaviour and there also needs to be a whistleblowing system in place to enable employees to escalate any concerns beyond their immediate line managers without fear of repercussions. It also needs to be instilled into staff that irregular payments should not be contemplated, no matter how senior the apparent source of the request.

Technical solutions include the installation of security mechanisms that can authenticate genuine emails and identify and quarantine fake emails purporting to come from impersonated staff, particularly senior executives. As well as carrying the risk of importing malware onto a company's systems, these fake emails impersonating senior staff are used to gain the trust of unwitting employees to eventually make fraudulent payments.

Finally, if the worst comes to the worst, it is essential to have an ‘Incident Response and Forensic Readiness plan' in place. If the financial and reputational damage of a fraud is to be limited, response times are critical and the planning for this needs to be in place before the event. For example, it is critical for companies to know where their data is and whether accessing it will be affected by the data protection and privacy laws of the legal jurisdiction in which it resides.

However, according to a survey conducted by Control Risks and the Economist Intelligence Unit (EIU) of over 316 companies worldwide, a third of companies admitted that they do not have an investigation response plan in place to identify and retrieve data.  If the worst does happen, these organisations could find themselves in a very exposed position.

Tips to reduce employee fraud

1.       Treat applications for temporary positions as you would permanent ones.

2.       Be aware of the modus operandi of 'embedded' fraudsters, educate your workforce to be vigilant.

3.       Enable staff to report any concerns to senior management

4.       Prohibit the authorisation of 'confidential' payments in all circumstances.

5.       Limit the access of temporary staff to company systems and strongly discourage the use of personal devices on corporate networks.

6.       Limit and segregate the roles of temporary staff where possible.

7.       Defend your IT system against forged emails through methods such as security certificates.

8.       Be prepared for the worst: have an investigation plan in place.

Contributed by Ching Liu, Practice Leader for Digital Forensics & Cyber Security, Control Risks