Reducing security threats posed by contract workers

June 9, 2014
How to make sure the risks don’t outweigh the rewards

In a time of budget sensitivity, many businesses, government agencies and other types of organizations are turning to independent contractors as a more flexible and less expensive alternative to hiring regular, full-time employees.  Contractors can be hired for specific projects or for a specific period of time, and be paid only for their work – saving organizations the extra expenses of payroll taxes, health insurance and other benefits.

However, the cost savings of using third-party contractors can also come with certain risks, most notably in terms of security. Contractors and other third parties, including vendors, delivery people and other "outsiders," may create a breach in physical security which compromises all other elements of a security program. Accessibility to people, assets, systems and information can transform these third-party outsiders into insiders simply by providing them with physical access to a facility. This could create a potentially dangerous situation for the safety and security of a facility.

The bottom line is that no matter how sophisticated the security policies or how carefully employees adhere to them, when a contractor or other third-party accesses a facility those policies could be rendered useless.

Whenever a third-party enters a facility, they introduce an element of the unknown, elevating the level of risk to an organization, and the risks they may introduce aren’t necessarily intentional or malicious. First, they may not be well-known to the organization or to other employees, and may be unfamiliar with the security policies that are in place. The organization may also have very little control over their actions, which could accidentally create an elevated risk level. For example, a contractor could unplug a device that’s critical to security, leaving the organization exposed without realizing it. Other possibilities include simple carelessness, overloading electrical outlets or propping open a door that should remain secured at all times. Even the simple act of accessing a wireless Internet network could cause a problem if a person’s device has been compromised in any way.

While unintentional harm creates a negative situation, the possibility that an outsider might intentionally breach an organization’s security to cause problems could be disastrous. An organization could be subjected to theft, fraud, vandalism, property loss and much more. It’s also important to remember that a physical security breach could be the first step of a more sophisticated cyber attack. The wide availability of small, relatively inexpensive portable devices like flash drives or even mobile phones makes this a very real possibility. It is easy to connect a device to a vacant computer or workstation and upload a file designed to create a breach in a company’s logical security defenses. It’s also very easy to find malicious software online that enables "pod slurping." When installed on an iPod or other device, the software can be configured to automatically download files when connected to a system – at an alarming rate of about 100 MB per minute.

Along those same lines, someone could easily pocket a portable flash drive, mobile phone or slide a laptop into his or her bag. Some very extensive data breaches have occurred as the result of a laptop or other device being lost or stolen. It’s important to note that these possibilities exist even if the contractor has been given permission to remove a device from the premise so he or she can work from home.

There are a number of ways to mitigate these risks, if not prevent them altogether. Good physical security begins with doors. They should either be locked or managed by an access control solution to restrict entry to specific areas of the facility. Access must also be restricted to interior doors, especially those that lead to server rooms, research and development labs, financial systems and other sensitive areas.

Organizations should also perform a thorough background check on contractors, as well as employees, to determine what, if any, risk they may pose. Once hired, both contractors and employees must be properly trained on the security policies that are in place before being granted physical access to the facility.

It’s also important to be aware of who has physical access to computers and other devices at all times. Even casual use of a server-connected laptop by someone who visits a dangerous website or opens a suspicious email can severely compromise an organization’s systems. Password protection, encrypting files, strong security software, keeping general and critical systems segregated, and providing tiered login credentials that allow a person to access only relevant servers, websites, etc. are good ways to prevent potentially disastrous outcomes made possible by physical access.

Strong identity management is also critical, and each ID must be associated with a specific person. Otherwise, they can be loaned to or stolen by someone else. At best, that person may be unfamiliar with security policies, and at worst, he or she has more sinister intentions than any contracted employee (who has been thoroughly vetted, of course). The access rights of an individual’s ID must correspond with the areas of a facility to which an individual requires access. For example, someone who has been contracted to perform data entry should not be given an ID that allows access to the server room. Contractors must also be removed from security systems immediately upon the expiration of their contract or termination.

For too many organizations, managing contractor identities is still a manual, paper-based process that lacks a centralized policy regarding physical access privileges or issuance of ID badges. For those organizations where the operations of different departments are autonomous and segregated, this severely limits the ability of security teams to do their jobs properly. As a result, they end up spending a significant amount of time and energy managing contractors, while still running the risk of a security breach.

An enterprise-based physical identity and access management (PIAM) solution provides an automated, policy-based approach to managing the lifecycles of contractor identities to ensure that accurate verification related to contractors’ identities is captured and stored within the appropriate systems. This contractor data can then be managed centrally with location-specific data to ensure contractors and other third parties can access only those areas they have been approved to enter. Additionally, identities can be automatically activated, deactivated, renewed and reactivated.

Awareness of the potential risks associated with third-party contractors and proactive steps to address those risks are two fundamentals that should be part of every security program. Implementing and enforcing strong security policies, and training both staff and contractors on those policies, will go a long way toward ensuring the safety and security of a facility and its occupants.