- Use Cases
- Why Dizzion
For many organizations, working with contractors makes sense. You get extra help when it’s needed without paying for a full time employee. You get access to deep expertise that you might not have (or need full time) in-house. You’re free to focus on more business critical projects without letting other tasks slip by the wayside. It’s no wonder that contractors make up 20-60% of the workforce for many companies.
As the working world quickly moves toward a more remote model with heavy reliance on contractors and vendors, organizations need to think about how they’re managing these outside workers and what security measures are in place to protect data and corporate IP as it’s touched by more people.
This is becoming increasingly clear as organizations realize that contractors can be an unmitigated source of data breaches. Nearly 70% of companies can either possibly or definitely link a data breach to third party vendor access. With an average of 181 vendors accessing a single company’s network weekly, the risk is pretty daunting.
It’s time to revisit and strengthen security best practices when working with vendors and contractors. Before you start a new contract be sure to ask these four key questions to ensure the proper controls are in place.
A contractor is likely hired to do a specific task. This means they don’t need – and frankly shouldn’t have – access to the full range of data, documents and applications your full time, in-house employees have.
While 66% of companies limit vendor access to only the systems and applications they need to fulfill their job role, 34% of businesses admit to providing ON/OFF access, meaning contractors either have full access or no access at all.
Before engaging with a new contractor or vendor outline their specific duties and the access they’d need to perform those tasks. Having this information documented will help IT teams grant appropriate access while implementing necessary controls.
Create an action plan for how contractors will access the data they need. If your company largely uses cloud based solutions this can be as simple as issuing a restricted seat to your SaaS applications. If they’ll be accessing data on a larger network consider creating a custom contractor role or persona that makes it easy to limit access and views.
Another consideration when dealing with contractors is that they will likely be using their own computers, meaning you have little control over their desktop environment. If you’re concerned that a contractor may expose your network to a virus or that an individual could maliciously save or distribute corporate data consider implementing virtual desktops for your vendors and contractors. Virtual desktops can run on any internet enabled device but creates an isolated environment separated from the worker’s native system. This makes it easy for your in-house IT team to create and manage roles, permissions and controls from a central location, regardless of where contractors are located. Specific Golden Images with predetermined security controls can be created to meet contractor use cases.
You want to make sure contractors are doing the work they’re paid for, but you also want to make sure they’re not accessing or handling data in a way that they shouldn’t be. This is especially important for companies that abide by compliance standards designed to protect private information (like HIPAA and PCI). Something as simple as knowing when a contractor has logged in is difficult for some organizations. Only 34% of companies are completely confident they can track vendor log-ins within their network and only 37% are confident they can track the actual number of vendors accessing corporate systems.
Having this information can be critical if you’re trying to find the root of a data breach. Before you grant contractors access to your network be sure you have a method or technologies in place to monitor their activity.
The point of contractors is that they are not full time employees, meaning their contracts will come to an end – likely sooner than later. When a contractor is no longer doing work for your company you need to be absolutely sure they no longer have access to your data. This means you need to revoke credentials for all systems and applications. You also need a way to ensure the contractor hasn’t saved any of your data to their personal devices.
When a contract begins, thoroughly document all the systems they have access to. When a contract ends, have a documented action plan in place with deadlines so that you can be sure access has been completely terminated in a timely manner.
If you’re concerned about contractors saving your data, implement controls within a virtual desktop environment that prohibit actions like printing, screen capture and saving to external drives. This will help prevent data theft and allow you to quickly cut off access by simply revoking virtual desktop credentials.
With the average cost of a data breach tipping $4 million, companies should be eager to plug any security holes. Right now, contractor and vendor access is a large hole that many organizations are ignoring – 66% of security professionals admit that they probably trust their third party vendors too much.
The rate of contract work is increasing (81% of companies have seen an increase in vendors in the past two years), meaning this risk is currently growing. If your company is engaging any outside workers it’s important to understand the potential threat and plan accordingly. Don’t assume contractors and vendors can be treated like in-house employees. They need their own set of security controls to ensure data isn’t accidentally or intentionally exposed leaving your company (not the third party) in a lurch.