More and more organisations are employing outside contractors to do all kinds of work; supplementing their internal teams, adding talent in specialised areas and plugging gaps of expertise without the overheads of employing full-time staff. An estimated 2.8 million people worked in the UK’s “gig economy” over one year between 2017 and 2018 and economists expect this number to rise.
Given research from The Ponemon Institute finds that two-thirds of all insider threat incidents are caused by employee or third-party contractor mistakes, businesses need to step up and better understand the risks to their data from this trend.
Rise of freelancers and contractors
Outsourced specialist IT services are the norm for many companies but many are starting to rely on freelance cover for other business support services, like PR, marketing accounting and HR. These third-party users don’t typically have “privileged access” to backend infrastructure or technical systems but they can often have access to servers and cloud services that contain confidential files, such as customer data.
These freelancers and contractors are people who organisations elect to give access to their systems, files, and data and so they aren’t truly strangers. The risk comes in that they are also not likely to be following – or subjected to – the same cybersecurity policies as regular employees. It can be much more difficult to keep a watchful eye on them than it is in-house staff. The reason for this is often due to the nature of the work being outsourced – contractors often tend to use their own devices and work remotely – and the limitations of a company’s security solution, which typically fail to effectively track worker activities.
Companies typically use identity and access management (IAM) and access governance solutions to implement remote access controls. While this prevention-based approach makes sense, it isn’t sufficient as once users with legitimate credentials can gain access, companies have little or no idea what they are doing – meaning that irregular or suspicious activity can go by unnoticed.
In the same vein, traditional data loss prevention (DLP) tools are too data-centric to spot any strange variations in user activity. They also require an extensive data classification process, which requires an in-depth audit of all data, and then fine-tuning that classification architecture year after year which isn’t naturally compatible with the short-term nature of gig economy work.
Unfortunately, even contractors with no nefarious or alternative motive can still pose a great risk to an organisation. They can make mistakes, for example, while deploying code, configuring systems, assigning user permissions or even moving files between teams thereby reducing the performance of business critical systems. Equally, they can become an easy way in for hackers. When an organisation’s internal systems are extensively accessible to remote partners, there is a dramatic increase in the potential risk that unauthourised users will exploit their access privileges to find an avenue into company servers, databases, control systems and other sensitive resources.
Training and guidance
Understanding how third-party contractors and suppliers might access and subsequently use their access to company files and data is a crucial place to start when thinking of how to best secure systems. Secondly, organisations should make time to coach contractors on cybersecurity best-practices, making sure organisational policies are fully understood. This should then be backed up by enforceable policies and appropriate technologies.
For instance, if an internal team is using a project management tool and needs to include a third-party contractor to perform work, a policy should be in place recommending that a separate account with separate permissions be created for that user. That way, the contractor can’t access what they shouldn’t, and their activity can be better attributed to them – minimising the risk of the third-party leaking data or misusing proprietary information.
Monitoring user activity
On top of this, businesses need to be able to watch what people are doing, knowing exactly what each and every user is doing during every minute that they are logged on to an IT system. Establishing systems that give organisations visibility into this activity, alerting them in real-time when sensitive files are accessed or changed, or when login patterns vary or compliance policies are repeatedly contravened, is a game-changer for company data security.
Importantly, the documentation that comes with this type of monitoring makes investigations simpler and can play a key role in making compliance easier too, satisfying regulations like PCI and ISO 27001 security requirements.
On a day-to-day level, when employees and contractors know their actions are being monitored and reviewed, they often become more accountable for their actions. Not only does this help build a culture of company trust, it also simply enables workers to just get on with their work and meet their obligations without worrying they are putting their employer and their own jobs at risk.
Ultimately, whether a third-party vendor or contractor is focused on IT or business services, it’s critical to have a strong level of visibility into their user activity on your corporate systems. Without sophisticated user activity monitoring in place, the margin for error or risk of an insider threat is just too high to ignore.
Simon Sharp, International VP at ObserveIT