In a time of budget sensitivity, many businesses, government agencies and other types of organizations are turning to independent contractors as a more flexible and less expensive alternative to hiring regular, full-time employees. Contractors can be hired for specific projects or for a specific period of time, and be paid only for their work – saving organizations the extra expenses of payroll taxes, health insurance and other benefits.
However, the cost savings of using third-party contractors can also come with certain risks, most notably in terms of security. Contractors and other third parties, including vendors, delivery people and other "outsiders," may create a breach in physical security which compromises all other elements of a security program. Accessibility to people, assets, systems and information can transform these third-party outsiders into insiders simply by providing them with physical access to a facility. This could create a potentially dangerous situation for the safety and security of a facility.
The bottom line is that no matter how sophisticated the security policies or how carefully employees adhere to them, when a contractor or other third-party accesses a facility those policies could be rendered useless.
Whenever a third-party enters a facility, they introduce an element of the unknown, elevating the level of risk to an organization, and the risks they may introduce aren’t necessarily intentional or malicious. First, they may not be well-known to the organization or to other employees, and may be unfamiliar with the security policies that are in place. The organization may also have very little control over their actions, which could accidentally create an elevated risk level. For example, a contractor could unplug a device that’s critical to security, leaving the organization exposed without realizing it. Other possibilities include simple carelessness, overloading electrical outlets or propping open a door that should remain secured at all times. Even the simple act of accessing a wireless Internet network could cause a problem if a person’s device has been compromised in any way.
While unintentional harm creates a negative situation, the possibility that an outsider might intentionally breach an organization’s security to cause problems could be disastrous. An organization could be subjected to theft, fraud, vandalism, property loss and much more. It’s also important to remember that a physical security breach could be the first step of a more sophisticated cyber attack. The wide availability of small, relatively inexpensive portable devices like flash drives or even mobile phones makes this a very real possibility. It is easy to connect a device to a vacant computer or workstation and upload a file designed to create a breach in a company’s logical security defenses. It’s also very easy to find malicious software online that enables "pod slurping." When installed on an iPod or other device, the software can be configured to automatically download files when connected to a system – at an alarming rate of about 100 MB per minute.
Along those same lines, someone could easily pocket a portable flash drive, mobile phone or slide a laptop into his or her bag. Some very extensive data breaches have occurred as the result of a laptop or other device being lost or stolen. It’s important to note that these possibilities exist even if the contractor has been given permission to remove a device from the premise so he or she can work from home.
There are a number of ways to mitigate these risks, if not prevent them altogether. Good physical security begins with doors. They should either be locked or managed by an access control solution to restrict entry to specific areas of the facility. Access must also be restricted to interior doors, especially those that lead to server rooms, research and development labs, financial systems and other sensitive areas.