Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

Contractors don’t have to increase your risk profile

How CISOs can extend the enterprise with secure third-party access

By Michael Fey
third-party-supply-freepik1170x658.jpg

Image by vectorpouch via Freepik

June 27, 2022

They say it takes a village, and this is certainly true in the modern workplace. As labor shortages have exploded across a wide range of industries, contractors and third parties are often used to fill the skill gaps within the organization. Using these resources can provide access to skills needed for a tactical role or to fulfill a complete organizational function (such as finance, legal, or IT support). In addition, freelance marketplaces, often referred to as the “gig economy,” have arisen to provide almost real-time access to external contract talent.


Fitting these contract resources neatly into your organization’s workflows requires them to have access to business-critical applications such as email, chat, collaboration, finance, and HR, among many others. The dilemma is that these same applications are often where organizations’ most precious and sensitive data are found, so they typically deploy a complex stack of technologies and processes, often requiring weeks or months of effort for a new contractor to begin their work. This process can be quite painful and costly for the organization, and runs counter to the near real-time gig economy, which promises speed and access to a wide range of talent. As recent research highlights, 51% of organizations have experienced a data breach due to a third party, making it evident that an evolved security approach to these situations is required.


“Whatever Gets Them Going Faster” — Unmanaged Third-Party Devices

More often than not, organizations allow third-party resources to leverage the devices provided by their firm or to use their own personal devices. The short-term benefits for this avenue are pretty obvious; contractors onboard much faster when they’re working in a familiar environment, and the company saves the cost of licensing, building, and shipping a company-owned device set up by their — likely overworked — IT team. Contractors get to work quickly and for a fraction of the cost — or so it seems. 


Unfortunately, these short-term advantages aren’t quite that simple. To work on their own unmanaged devices, contractors will need account credentials to log into the company’s existing systems, such as VPNs, and business-critical applications. This access isn’t a one-time effort. It requires the ongoing and often tiresome effort of provisioning and removing credentials as needed. Further, since their core operating system footprint is outside of the organization’s control, a compromise of these devices can provide the keys to the kingdom to an adversary. As a result, having a third-party individual accessing sensitive information on an unmanaged device may leave the door wide open to cybersecurity risk. With the average cost of a data breach reaching $4.24 million in 2021, contractors on unmanaged devices may seem cost effective but may create more risk than return.


Another tactic to provide protection to the organization while a contractor is using an untrusted device is to leverage Virtual Desktop Infrastructure (VDI). VDI solutions stream a configured, virtual desktop to third-party contractors for use when they access an organization’s critical applications. With this solution, a contractor will use their personal device to log into the VDI systems, which present them with a fully managed desktop that the contractor can use to access the required applications. These VDI systems are not only complex and costly to administer and run, but it necessitates the purchase of all the required operating systems and application licenses for the virtual desktop, when quite often only a web browser is required for access. This costly and cumbersome solution is suboptimal for onboarding contractors in a timely and cost-effective manner. 


“Just To Be Safe…” — Fully-Managed Contractor Devices

With these risks in mind, some organizations completely avoid them by shipping contractors a company-owned, pre-configured and managed device. Through this approach, organizations can feel confident their contract resources are accessing their apps and underlying sensitive data on a fully controlled device that enables them to see and govern all work-related activity.


But the trade-off is significant. Obtaining, preparing, and shipping these managed devices — especially at scale, when more than one contracted user is involved — is challenging and expensive. It can also take weeks or months before the device even arrives in the contractor’s hands, and even more lost time spent setting up, troubleshooting and adjusting to the device. As a result, it can be weeks or even months before a contractor is fully onboarded and productive. And in some cases, waiting a few weeks or months is not an option. For example, if a contracted consultant is brought on board in an emergency to remedy a critical internal system outage, access to critical application areas may be required immediately. Waiting too long to start working could lead to loss of revenue or other negative impacts.


Contractor Access Can Be a Crack in the Armor, but Chief Information Security Officers (CISOs) Can Protect It

Unfortunately, the challenges don’t end once an organization chooses a contractor access approach. Whether they opt to ship a fully-managed device or choose to allow these users to employ their own hardware, having an external resource accessing business-critical apps and company data creates a wealth of new cybersecurity risks.


Consider the myriad cyberattacks in the news within the past few years. Often, the breach originated from third-party vendors and contractors. The uncomfortable truth is that any time a new external user has access to a company’s critical data, there is the inherent risk that they will become the next attack vector. 


But third-party contractors are an integral part of any organization’s labor ecosystem, one that they cannot afford to simply remove. It’s up to CISOs and their teams to ensure these parties are working securely and productively, regardless of their device. This requires a comprehensive approach that allows contractors to get to work quickly, empowering them to become a productive solution, not a costly problem. This strategy should include:


  • Access Simplicity: Ensuring contractor access to critical applications should require minutes of effort versus months or weeks of costly provisioning work. In addition, access should require no training for the contractor beyond a simple URL and credential to the resources they need to perform their duties.
  • Deep Forensic Auditability: The organization’s cybersecurity team should have deep visibility into how and when their third-party users are accessing their system. This should include interactions with any aspects of applications, even down to forensic screenshots of critical application areas. The granular visibility provided by deep audit logging should provide assurance that they are interacting with the company’s data and applications appropriately and safely while remaining productive in the process.
  • Last Mile Control: Cybersecurity teams require advanced controls at the point where users actually interact with the applications to ensure all users, including contractors, are working with critical application data appropriately. This includes controlling copy/paste actions, file downloads, screenshots, printing, and saving content, among others. Such controls should not impede user work; rather, they should ensure they can work in their fluid, natural way across applications.
  • Flexible Application Workflows: Organizations may have unique use-cases requiring security measures or productivity workflows that are specific to their needs. Capabilities should exist to easily assert new business logic (such as two-factor authentication) without requiring underlying application modification. This is particularly important when internal legacy applications are being used where application changes are often frowned upon.
  • Centralized Governing Policy: Centralized management should allow cybersecurity teams to easily define a breadth of policies per user, device, application, network and location, ensuring contractors only have access to what they need and do not inadvertently put company data at risk.


Solving the Contractor Device Dilemma Once and For All

Contractors and third-party resources have become many organizations’ not-so-secret weapons by opening up additional avenues to access much-needed talent. They allow organizations to stay competitive without adding to or overburdening their existing headcount, making them an indispensable part of the modern workplace. But they also bring a wide variety of unique challenges. With a modern approach to governing contractor access, CISOs can safely embrace this strategy while simultaneously simplifying and reducing the cost of the entire effort, which is a win for everyone.

KEYWORDS: Chief Information Security Officer (CISO) cyber security data breach data protection risk management third-party risk

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Mike fey headshot1

Michael Fey leads Island as Co-Founder and CEO, relying on his extensive experience in cybersecurity, enterprise software and cloud technology. Previously, he served as D21Q (formerly Mesosphere), president and COO at Symantec, president and COO of Blue Coat, and has also been executive vice president and general manager for enterprise products at McAfee and chief technology officer of Intel Security. Fey holds a degree in Engineering Physics and Mathematics from Embry-Riddle Aeronautical University. He is an author of Security Battleground: An Executive Field Manual, which gives guidance to executives with no formal background in security and technology. 

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    New Security Technology
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

Laptop with coding on ground

Stepping Into the Light: Why CISOs Are Replacing Black-Box Security With Open-Source XDR

Gift cards and credit cards

Why Are Cyberattacks Targeting Retail? Experts Share Their Thoughts

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cyber breach

    Don’t leave third-party risk management to guesswork

    See More
  • Revised NIST Cyber Security Framework - Security Magazine

    Access Control: Don’t Give Cybercriminals the Keys to Your Business

    See More
  • SEC0421-DeepFake-FEAT_MAIN_1170x878px

    Don’t discount the risk of deepfakes to the enterprise

    See More

Events

View AllSubmit An Event
  • August 27, 2025

    Risk Mitigation as a Competitive Edge

    In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing