Are internal contractors your weakest security link?

The freelancer economy is on the rise. According to the latest Office of National Statistics, the number of self-employed workers in the UK increased by 213,000 to 4.79 million in the three months to September 2016, and 15.1% of all people in work are self-employed.

These figures aren’t surprising. After all, we are seeing more and more people go down this route month after month. Contractors are clearly proving to play a valuable role in helping organisations to operate. However, it’s important for businesses to understand the risks that come with hiring contractors – and one such challenge is the threat to data security.

2015 was a year in which we saw several high-profile attacks because of contractor and employee oversights, or criminal activity by people working inside the organisation. And although organisations have spent considerable time and resource in protecting their perimeters, the cyber criminals know the easiest way into an enterprise is through people employed directly or indirectly by the organisation.

This is a cause for concern as revealed in NTT Security’s Risk:Value 2016 report, which found that 51% of business decision makers thought that contractors/temporary work staff were the weakest security link within the organisation.

Pre-employment screening is the bedrock of good personnel security. It verifies the credentials of individuals an organisation wants to grant access to its sites and information, and confirms that they meet the conditions of the employment offer. It goes without saying – verifying a person’s identity and the authenticity of their identity documents is a critical part of the recruitment process for contractors.

When it comes to onboarding contract staff, employers need to ensure the process is not overlooked and reserved for permanent workers alone. Some of the most important elements of a workplace culture are highlighted during onboarding programs and, if they are not part of the process, contractors are left without this valuable context and could become less effective and embedded in the team.

Once an organisation has screened and onboarded its temporary employees, it needs to carefully consider the systems it gives individuals access to (and what they can do with this access). In many cases, contractors are given the same access rights as other similar internal roles but without a review of the systems and applications they need to access to do the job they’ve been hired for.

Businesses must remember too that, at a global level, thousands of people leave their jobs each month, and many of them leave with the passwords to sensitive corporate applications and can log into their ex-employer accounts long after they have left.

And it doesn’t stop at the screening an onboarding process. The best defence against cyber attacks is a vigilant and well-informed workforce. Hackers know employees and contract staff are a weak link; they also know there is a lack of security awareness in many organisations. It is therefore crucial organisations run security awareness programs to inform all employees including contractors about best practice – from mobile device security through to security awareness when travelling.

In summary, it’s crucial that organisations have greater resiliency by fully understanding their risk exposure and taking the recommended steps to plug the gaps. Processes, procedures and awareness are all essential ingredients for risk mitigation, along with the right technologies to help protect from and detect any malicious activity. Our 2015 Global Threat Intelligence Report highlighted the need for organisations to concentrate on getting the basic security measures right. Implementing the fundamentals that put risk in context is the foundation of any coherent and thorough response plan.

Organisations should also take advantage of the advances in data analytics and increased focus on anomaly detection. Developments in machine learning and advances in user behaviour analytics will help companies identify unusual behaviour that could indicate a compromise.

By Garry Sidaway, SVP Security Strategy and Alliances at NTT Security