The rise of outsourcing to contractors and third parties has delivered great benefits. Your organization gets more flexibility and access to great expertise. However, this model does have some significant drawbacks. It’s more challenging to maintain IT security. IT contractors may have multiple clients, so they don’t have the same day-to-day focus on your organization. As a result, they may miss some of your IT security expectations.
What’s the Impact of Poor Contractor IT Security?
To paint a picture of what can go wrong, here are some of the risk exposures IT contractors can bring. First, they may not be set up as part of your identity and access management system and process. Second, they may not be included in your company’s standard IT security training for employees. As a result, it’s difficult to track their user access status. They may not understand your expectations for using multi-factor authentication, how to report phishing attacks, or understand other requirements. Thus, your IT contractor security risk may be increasing substantially without you realizing it.
How to Assess Your Contractor IT Security Risk
Before you invest substantial time and resources into addressing this risk exposure, it’s smart to take a step back and assess the situation. To do so, define contractors broadly to include both individuals hired on direct contracts and staff working at your organization through a professional services firm.
Ask yourself these self-assessment questions:
- How many contractors does your company use? Has this figure increased over the past year?
- How many IT contractors have access to sensitive corporate data, systems, and assets?
- What monitoring process do you have to track IT contractor access?
- What training do you provide to IT contractors about security matters?
- Do you rely upon manual processes to manage IT contractor security risk?
- Do you have a central inventory of all IT contractors and their status (active vs. inactive)?
After you answer those questions, you’ll probably find that you’re exposed to significant contractor IT risk. Now, turn to the steps you can take to address this security risk.
Three Ways to Address Heightened Contractor IT Security Risk
To mitigate your contractor IT security risk, you can use varying approaches depending upon how many contractors you use.
1. Train Your Managers on Ways to Monitor This Security Risk
Your front-line managers already have some processes and tools in place to manage security risk for employees. Therefore, it makes sense to ask them to extend their oversight to cover contractors. In particular, ask them to make sure that contractor user access is logged and tracked through your central identity and access management solution. If you already have highly effective management oversight in place, your next step is to develop IT security training specific to contractors.
Tip: Encourage managers to create checklists for onboarding and offboarding contractors. These checklists may include items such as collecting ID cards and hardware and removing all user access. To help you build your checklist, read our guidance: The 9 Habits of Highly Effective New Employee Onboarding.
2. Monitor Contractor IT Security Risk Centrally
While managers have accountability for their departments, they may have difficulties in keeping up with this risk. That’s where the IT security department can step in to assist in central monitoring. As subject matter experts, we suggest IT take on the following responsibilities:
- Develop and update IT security policies: Use your experience to build policies that cover contractors. This policy work may also extend to covering procurement policies.
- Conduct security assessments on high-risk contractors: If you work with contractors who’ll have access to sensitive materials such as live customer data, then additional scrutiny may be necessary. For example, IT may want to provide an assessment of the contractor’s IT security protections to ensure it’s sufficient.
- Support internal audit activities: Your internal audit department may be stretched too thin to examine contractor risk. Therefore, we suggest that the IT department offer support in the form of reports and advice to cover this area of risk.
Reviewing that list of techniques, you might feel overwhelmed by the challenge. Fortunately, there’s another approach available: leveraging automation tools.
3. Use Tools to Systematize Oversight for Contractors
Several automation tools exist that you can use to get contractor security risk under control. Use all of them for the best results.
- Manage contractor user access as a group: By using Group Requester, you can avoid setting up each user manually. For instance, consider creating a user group for “standard contractors” and “technology contractors” where each user type has different access privileges.
- Empower contractors to get access support: If you have contractors in different time zones, it’s difficult to stay in touch with them. That’s one way the Apollo chatbot helps, as contractors and employees can submit access requests whenever they wish via Skype, Slack, and website. You get greater productivity from your contractors without compromising your security needs.
- Enforce better passwords: Imagine you’re a contractor. You’re working with multiple clients and have a lot on your plate. Coming up with unique passwords may not be a top priority, so you probably reuse them. To counter this tendency, you need to enforce a clear password policy and make it easy to request a new password. Use Password Management to make password management simple.
What to Do if You Lack the Necessary Tools to Monitor and Control Contractor IT Security
You might see the value in using software tools to manage this risk. However, your management team may not see the risk. In that situation, you’ll need to develop a business case to win support.
