Security Risks Associated with Temporary, Seasonal Staff Can Be Reduced

Oct. 7, 2022
A successful organization should adopt a zero-trust approach that creates an identity authority for temps and third parties

Workforce needs for many organizations are driven by seasonal requirements. Summer vacations, holiday travel, and shopping seasons all contribute to the need for an increase in the number of temporary workers to support cyclical business spikes. Seasonal staff provides the elasticity needed to quickly and cost-effectively expand and contract operational needs. However, onboarding, revalidating, and offboarding these staff can be time-consuming and costly. And because temporary help is often granted access to internal systems and data, organizations experience new operational challenges and greater risk exposure.

Whether these short-term staff members are considered temporary personnel, third-party workers or independent contractors, all non-employee staff with access to an organization's facilities, networks, and data raise several organizational and security risk challenges.

Seasonal Staff Identity Challenges

The identity challenges associated with the use of seasonal staff are no different than other non-employee populations but are in some ways magnified due to the volume of workers being brought on all at once for a limited duration. Organizations may view the risks associated with this population differently than other non-employee populations. For example, college students being brought in to fill summer vacancies may be considered lower risk than engineers filling gaps on key projects.

Recent research conducted by SecZetta and ESG found that, when it comes to processes that mitigate non-employee risks, only just over half (53%) of organizations surveyed noted they are identity-proofing and verifying third-party individuals and organizations before granting them access to company assets. And, once those third parties have access, they tend to keep that access long after it’s appropriate, with 55% of respondents failing to deactivate third-party workers who no longer qualify to perform duties.

Adding to this complexity, as the survey findings noted, seldom is anything done to ensure access is updated as the temporary worker’s relationship with the organization changes or is removed when it is no longer needed. Key workflows related to onboarding, validation, and offboarding during their full tenure with the organization should be automated, improving operational efficiency and reducing the cost and risks of temporary staff resources.

HRIS Systems Don’t Work Well for Third Parties

In most instances, existing automated identity and risk management processes for an organization's employees do not work for temporary users. Companies often attempt to use HRIS systems to solve part of the problem – which can be costly, time-consuming, ineffective, and typically only focused on the bare minimum of getting access granted.

Appropriate onboarding for third-party users is critical because it is during this process that important contextual data is collected and used to make initial access decisions. HRIS solutions feature high per-record costs and are fundamentally designed to meet different needs like managing payroll, benefits, performance, and linear reporting structures for full-time employees. Most of these capabilities are not applicable to third-party users and ultimately do not meet the requirements necessary to adequately secure access to an organization’s data, network, and facilities.

So how can organizations improve operational efficiency and reduce the security risks of managing temporary, seasonal help?

Adopt a Zero-Trust Approach

To be successful, businesses need to adopt a zero-trust approach that creates an identity authority for their third-party, temporary, seasonal staff. This validates those workers are who they say they are, are granted the minimum required level of access needed to perform their roles, and that access is removed when no longer needed.

Security professionals should seek options that not only automate these processes but also improve data flow and enable proactive maintenance of existing third-party profiles, including:

●      Self-service or delegated updates to a worker's profile

●       Relationship updates, including sponsor and organization assignments

●       Worker status validation or self-attestation

●       Relationship or status expiration

●       Termination or transfer

It’s also important to consider solutions that allow organizations to risk-rate and manage all third-party identities before granting access. Some provide the ability to assign risk scores to specific identity data and allow thresholds to be set to trigger conditional approvals, processes, or even automatic certification of "high-risk" users. With the right functionality, organizations can quickly build vendor risk profiles or integrate seamlessly with existing vendor management and risk solutions to combine vendor risk with identity risk. This process creates a holistic view of an individual third-party's risk exposure and supports an organization's overall risk strategy.

Taking the Next Step

With third parties widely acknowledged as an elevated risk to organizations’ security, special consideration must be taken at the individual identity level when providing them with insider access to facilities, systems, and data. And this becomes even more complicated and critical when these third parties only work with organizations on a temporary basis.

If your workforce requirements fluctuate based on cyclical changes driven by various factors like seasons of the year, holidays, and school-year calendars, your organization probably relies on the use of seasonal workers. By proactively addressing the points above, you will be best prepared to mitigate the risk associated with these temporary workers while meeting your operational needs.

About the author: David Pignolet is the founder and CEO of SecZetta. David brings his nearly two decades of experience in application, network, and data security to drive the success of SecZetta as an industry leader in third-party identity risk and lifecycle management solutions. He founded the company in 2006, assembling a highly experienced team and securing strategic partnerships to address a growing need for better IT security and identity and access management in the market.