Insider threats are often discussed as being employees within an organisation, often with privileged access to vital systems, files, and data. However, the reality is that third-party contractors and vendors are also a big potential insider threat.
In fact, according to NPR/Marist poll data, 1 out of every 5 people identifies as being part of the “contractor work force.” This indicates that around 20% of people do not have traditional full-time employment at any one company, instead hopping around from project to project or client to client. That’s a pretty substantial number considering that much of that work is B2B in nature, and often requires shared access to systems, files, and data.
In this week’s “Coachable Moments” post, we’re taking an introductory look at how you can address the strangers in your servers. (i.e. Your third-party contractors.) For a more complete breakdown, reserve your copy of our upcoming “Strangers in Your Servers: How to Make Third-Party Work More Secure” whitepaper.
Who Are These Strangers in Your Servers?
The people who you give access to your organisational systems, files, and data aren’t truly strangers – but it is certainly more difficult to keep a watchful eye on them than your employees. The reason for this is often due to the nature of the work being outsourced, non-ownership of used devices, as well as physical location.
For instance, a great deal of third-party contractor B2B work performed falls into the following categories:
- Legal
- Business Strategy
- Accounting
- Design
- Marketing
- Public Relations
- HR
- Call Centers
- Sales
- Real Estate
If we were to cherry pick two examples; say marketing and sales; we might learn a lot about how much access is truly being given away without hesitation. For instance:
Marketing: website and social media account access, product information, screenshots and copy, sales and marketing database access, etc.
Sales: product information, sales database access, value of deals, contact details, etc.
What Can Be Done About Contractor Risk
There are ways that teams can minimise the risk of a third-party insider threat incident, particularly data leaks or misuse of proprietary data. But it all starts by obtaining visibility, establishing effective processes, and communicating them to the right people.
Tools like Proofpoint’s insider threat management software can help give additional insight into third-party contractor user activity, triggering alerts and notifications based on your own policy rules and exceptions, and providing teams with comprehensive historical data to determine intent and root-cause of any potential incidents that occur. It can also force user identification for accessing universal accounts (ex: stating your name when accessing a generic account) and take user privacy into account with data anonymisation.
These tools, aligned with the right people, and processes, can help ensure that third-party contractors are only doing what they need to be doing with access to your systems, files, and data.
Communicating Policies
As always, communication is key to your success.
Understanding how your third-party contractors and vendors might access and subsequently use their access to organisational systems, files, and data is crucial, but the task of coaching them on cybersecurity best-practices or your organisational policies is something else.
For instance, if an internal team is using a project management tool and needs to include a third-party contractor to perform work, a policy should be in place recommending that a separate account with separate permissions be created for that user. That way, they can’t access what they shouldn’t, and their activity can be better attributed to them.
This is an employee-based problem and solution.
On the flip side, if the external contractor then receives said account, they need to understand what is expected of them to keep the systems, files, and data secure. For example, they might limit use of the account to one responsible, identifiable user. Or, they might want to refrain from storing proprietary project files and data outside of the project management tool.
This is an employee-based communication solution, followed by a third-party contractor process. In other words, it’s a total team effort!
Key Third-Party Insider Threat Takeaways
With more and more contractors comprising the workforce, and more and more B2B organisations relying on contractors for help, the time is now to start managing this potential insider threat.
By requiring access identification for entry to key systems, files, and data, monitoring third-party user activity, and communicating organisational cybersecurity policies, your team can effectively minimise the risk of a data loss or misuse incident.
Reserve the "Strangers in Your Servers" Whitepaper
If you liked this Coachable Moment, reserve your copy of our upcoming Strangers in Your Servers: How to Make Third-Party Work More Secure” whitepaper. Once it is ready, we’ll send it directly to your inbox!