According to a recent report from consulting firm North Highland and the Economist Intelligence Unit, gig workers comprise upwards of 20% of the workforce at more than half of US and UK companies. And, more than 60% of companies say their contract workforce will grow even larger in the next five years. While these third-party workers can help an organization quickly scale up resources and expertise, they can also increase insider threat risks if left unchecked.
Insider threat statistics show that two out of three incidents are caused by employee or contractor mistakes. Often third-party workers are given the same level of systems access as internal employees, without receiving adequate training or preparation on security policies and best-practices. As a result, simple mistakes can add up to unintentional data leakage and reputational risk for the organization.
Here are some tips on how to manage a contract workforce to prevent insider threats.
Provide Security Onboarding for Contractors
Organizations often take great care to onboard employees with the proper security training before they start on the job. Even though third-party workers aren’t present in the office, they still have access to the same (or sometimes even more!) systems and data as employees. As a result, contractors need to have a solid understanding of security policy, and be trained in similar ways to employees.
Compliance regulations like SOC 2 and GDPR are forcing the issue of security with many companies that hire a large contract workforce. While it can be hard for security teams to scale to train each individual contract worker, eLearning or video training courses can walk them through the expected protocol and proper use of corporate systems. These training courses often require a digital signature upon completion, so organizations can keep updated records of which contractors have completed their assigned tasks.
Enforce Security Policies for Third-Party Workers
After the initial onboarding, it’s important for organizations to continue to enforce security best-practices with contract workers. For example, simple multi-factor authentication (MFA) is an account security measure few people follow today. A study from Duo Security found that less than one-third of Americans are using MFA, while a Google engineer recently revealed that fewer than 10% of Gmail accounts enabled MFA.
Many people don’t know about MFA, have false confidence in the security of their passwords, or simply bypass this extra measure if they consider it time-consuming or inconvenient. Enforcing the use of a physical security key is one solution that can provide confidence that contractors (and employees) are actually using MFA in practice.
Organizations can take many other simple measures to ensure that their data and corporate systems are safe. For example, if employees are required to use certain whitelisted technologies, the contract workforce should follow the same guidance. Security teams must help contractors understand that certain file-sharing or blacklisted sites can put the organization at unnecessary risk for data exfiltration.
Be Proactive About Insider Threat Management
Often, organizations don’t find out about potential third-party insider threat incidents until it’s too late. A proactive insider threat management strategy could help organizations improve their detection and speed up their investigation processes. It all starts with a dedicated insider threat plan, with a clearly defined set of stakeholders spanning security, HR and legal teams.
Pairing this strategy with an insider threat management platform like ObserveIT can help teams gain much-needed context into a potential incident. Without this context, it can be difficult for security teams to follow the trail backwards from an alert to a third-party contractor’s specific user activity. ObserveIT combines user and data activity monitoring to give security teams a complete picture of who did what, and when.
A combination of cybersecurity awareness, proactive strategy, and insider threat management tools can protect the organization from insider threat risks of a growing third-party workforce. Contract work is showing no signs of slowing down, so security processes must keep pace with evolving workplace trends.