Data breach alert: the rising threat of contractors

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazineuk.com/data-breach-alert-the-rising-threat-of-contractors/article/426866/

The Snowden debacle shed light on what contractors with high-level or
far-reaching access rights are capable of if that access is not closely
monitored. But it's not just high-profile organisations like the National
Security Agency (NSA) that are at risk from insider attack by contractors.
Research from PwC has revealed that contractors account for 18 percent of
the most serious breaches in UK firms of varying sizes. Clearly, this
problem is widespread.

According to analysis from CareerBuilder, nearly three million people are
employed in temporary contract jobs today, and that number continues to
rise. While these arrangements provide businesses with a competitive edge
and flexibility to expand and contract their workforce as needed, there are
associated IT risks. These can, if not handled properly, outweigh the
benefits. Businesses must be smart about protecting against the potential
risks that contractors bring into the virtual workplace. Compliance
regulations increasingly expect that contractors be subject to the same IT
controls and safeguards as every other employee.

A breach by a third-party can have ramifications on data security and on
the overall brand. While the responsibility for a third-party contractor
can be a grey area – especially if contracted through a service provider or
vendor – an organisation is always responsible for managing and monitoring
who has access to its systems.

That makes it imperative for organisations to pay attention to contractors,
but the reality is it's no easy task. What makes this area of data security
such a challenge is finding the right balance between limiting risk and
opening up access to sensitive applications and data that a contractor
needs to perform their job.

Unfortunately, there is no silver bullet solution to this problem, but if
companies take a layered approach that includes awareness and education
alongside preventive and detective controls they will be much more secure.

First and foremost, companies need to be explicit about their policies in
this area and clearly define what is considered ‘illegal' use of
proprietary data.

At the same time, companies need to proactively monitor and manage
contractors' access privileges, with the goal of limiting access to only
what is required. Identity and access management (IAM) plays a critical
role in helping companies ensure that access privileges are appropriate and
conform to policy, including:

- Centralise visibility. Continuously and actively review what information
contractors have access to in order to make sure it's appropriate for the
work they are doing. This is achieved by implementing a system that allows
for centralised visibility into contractors' access within the
infrastructure.
- Incorporate a risk-based approach. Contractors pose a higher security
risk to the network because they don't have the same relationship as a
long-term employee. Create an identity risk model to better understand
where the hotspots are. Details such as whether this contractor is working
with a competitor are critical.
- Tie termination of access to the contract end date. Close the loop once
the consultant leaves. Put an automated process in place to terminate all
access just like you would to an employee. During the on-boarding process
for new contractors, capture the length and nature of the contract so that
access expires automatically. This is often easier said than done, because
organisations rarely have a centralised process for contractors. One
workaround for that is to assign an accounts payable person as an access
reviewer.
- Aggressively clean up contractor access. Upon termination of a contract,
simply severing network access isn't enough. It is critical to also ensure
that the organisation cleans up the access environment at the individual
application and entitlement level that the contractor was given. Often an
organisation will continuously reuse certain contractors who can quickly
rack up the number of access points over the years. Because of this,
contractor access should be certified every 90 days.

As the economy continues to get stronger and businesses benefit from
contract workers, the issue of unmonitored access for third-party workers
will only escalate. Organisations that implement good IAM strategies
incorporating contractors as part of their overall governance strategies
can protect themselves from past, present and future threats. Those that
don't heed this advice put themselves and their business at incredible risk.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!