If one was to build a Venn diagram to compare the onboarding, educating, supervising, and offboarding of staff versus contract workers, the areas differences might offer a surprise. In this case, surprises aren’t what a CISO wants to encounter. Thus, such a diagram as part of their insider risk threat management program highlights the delta between the two types of workers and how they are handled.
The concept of core and context when it comes to separating the duties of the full-time-equivalent workforce into staff and independent contractors has long been an ongoing challenge for every enterprise and small- to medium-sized business. Add to the mix the contracted service offerings — for example, a managed security service provider — and entities find themselves handing the keys to the kingdom over to a third party to handle tasks at hand. On top of that, the past two-plus years have caused many an entity to undergo a momentous change to how employees/independent contractors engage, with a noted influx in the remote work option.
Rob Juncker, CTO at Code42, shared areas where the independent contractor/third-party vendor could be putting your company at greater risk than necessary.
Delta between staff and independent contractor administrative handling
The questions to ask are: “Is there a difference between how your entity onboards staff employees and contractors or those individuals within contracted vendors? Who are you providing staff-like access to company infrastructure and by extension intellectual property?”
The staff employee’s onboarding typically includes a formal process that often begins before they walk through the front door. The process may include human resources, finance, information technology, and management. Papers are signed ranging from non-disclosure agreements (NDAs), intellectual property declarations, payroll, and tax papers. Additionally, that employee may be provided with company devices or have their own provisioned. When the employee departs, a 90-day review of their network activities is conducted, attestations re return of devices and intellectual property signed, and an out-brief conducted.
Employees have a sense of belonging and ownership. The independent contractor may be a member of the team, but they are a different type of member. They aren’t receiving the same benefits and perks the employee receives. Company culture may embrace the independent contractor, though far more often it does not. Within these differences, we find the buy-in from the independent contractor is by its nature different: It is a gig.
Independent contractors can leak sensitive data leaks into and out of an organization
On the plus side is the independent contractor team may bring infosec practices to your team that if implemented could enhance the security footprint. The negative side is that independent contractor may bring horrible cyber hygiene practices and devices that have been in and out of a plethora of entities as they moved from one engagement to the next.
Then we have the specialist who comes to you because they have that unique knowledge/skillset which when infused will make a product sing or a process hum along smoothly. That expertise equates to enhanced access, sometimes far more access than may be afforded to employees.
All this highlights the ample opportunity for another entity’s intellectual property to be infiltrated into your environment, either accidentally or on purpose. Similarly, when the engagement terminates, and the independent contractor departs for their next opportunity, are they leaving with their work product in their possession? Was all the company information clawed back from their devices and storage? Was their access terminated? It is no secret that most insider theft occurs as an individual is preparing to walk out the door.
Build trust anchors with independent contractors
The solution requires “trust anchors,” according to Juncker, and lies within what he characterized as the “Three E’s”:
- Expertise: The contractor is bringing expertise to the table. While they may not be staff, their input is instrumental to success. Buy-in to both the culture and success of the company must be encouraged.
- Enforcement: Managing expectations is fundamental, especially when it comes to enforcement. The day-to-day interaction is a key component, but also the ability to confirm when employees and independent contractors depart that they aren’t leaving with your intellectual property. Similarly, when a third-party vendor provides a solution and that their employees are vetted, make sure you have the means of verifying that vetting process and that the solution operates as advertised. More than one entity has been compromised with one of their contracted vendors providing the gateway.
- Education: Investing in staff employee education with respect to infosec and internal processes and procedures may be a continuous employee lifecycle engagement, with initial, remedial, and reinforcement, depending on the length of the contract. The independent contractor may be touched but once with an opportunity to educate. Make it count.
Juncker concluded our discussion with the spot-on observation, “Controls used for staff employees should be amplified when it comes to the contractor workforce, to above and beyond that used for staff.”