Contractors don’t have to increase your risk profile

They say it takes a village, and this is certainly true in the modern workplace. As labor shortages have exploded across a wide range of industries, contractors and third parties are often used to fill the skill gaps within the organization. Using these resources can provide access to skills needed for a tactical role or to fulfill a complete organizational function (such as finance, legal, or IT support). In addition, freelance marketplaces, often referred to as the “gig economy,” have arisen to provide almost real-time access to external contract talent.

Fitting these contract resources neatly into your organization’s workflows requires them to have access to business-critical applications such as email, chat, collaboration, finance, and HR, among many others. The dilemma is that these same applications are often where organizations’ most precious and sensitive data are found, so they typically deploy a complex stack of technologies and processes, often requiring weeks or months of effort for a new contractor to begin their work. This process can be quite painful and costly for the organization, and runs counter to the near real-time gig economy, which promises speed and access to a wide range of talent. As recent research highlights, 51% of organizations have experienced a data breach due to a third party, making it evident that an evolved security approach to these situations is required.

“Whatever Gets Them Going Faster” — Unmanaged Third-Party Devices

More often than not, organizations allow third-party resources to leverage the devices provided by their firm or to use their own personal devices. The short-term benefits for this avenue are pretty obvious; contractors onboard much faster when they’re working in a familiar environment, and the company saves the cost of licensing, building, and shipping a company-owned device set up by their — likely overworked — IT team. Contractors get to work quickly and for a fraction of the cost — or so it seems.

Unfortunately, these short-term advantages aren’t quite that simple. To work on their own unmanaged devices, contractors will need account credentials to log into the company’s existing systems, such as VPNs, and business-critical applications. This access isn’t a one-time effort. It requires the ongoing and often tiresome effort of provisioning and removing credentials as needed. Further, since their core operating system footprint is outside of the organization’s control, a compromise of these devices can provide the keys to the kingdom to an adversary. As a result, having a third-party individual accessing sensitive information on an unmanaged device may leave the door wide open to cybersecurity risk. With the average cost of a data breach reaching $4.24 million in 2021, contractors on unmanaged devices may seem cost effective but may create more risk than return.

Another tactic to provide protection to the organization while a contractor is using an untrusted device is to leverage Virtual Desktop Infrastructure (VDI). VDI solutions stream a configured, virtual desktop to third-party contractors for use when they access an organization’s critical applications. With this solution, a contractor will use their personal device to log into the VDI systems, which present them with a fully managed desktop that the contractor can use to access the required applications. These VDI systems are not only complex and costly to administer and run, but it necessitates the purchase of all the required operating systems and application licenses for the virtual desktop, when quite often only a web browser is required for access. This costly and cumbersome solution is suboptimal for onboarding contractors in a timely and cost-effective manner.

“Just To Be Safe…” — Fully-Managed Contractor Devices

With these risks in mind, some organizations completely avoid them by shipping contractors a company-owned, pre-configured and managed device. Through this approach, organizations can feel confident their contract resources are accessing their apps and underlying sensitive data on a fully controlled device that enables them to see and govern all work-related activity.

But the trade-off is significant. Obtaining, preparing, and shipping these managed devices — especially at scale, when more than one contracted user is involved — is challenging and expensive. It can also take weeks or months before the device even arrives in the contractor’s hands, and even more lost time spent setting up, troubleshooting and adjusting to the device. As a result, it can be weeks or even months before a contractor is fully onboarded and productive. And in some cases, waiting a few weeks or months is not an option. For example, if a contracted consultant is brought on board in an emergency to remedy a critical internal system outage, access to critical application areas may be required immediately. Waiting too long to start working could lead to loss of revenue or other negative impacts.

Contractor Access Can Be a Crack in the Armor, but Chief Information Security Officers (CISOs) Can Protect It

Unfortunately, the challenges don’t end once an organization chooses a contractor access approach. Whether they opt to ship a fully-managed device or choose to allow these users to employ their own hardware, having an external resource accessing business-critical apps and company data creates a wealth of new cybersecurity risks.

Consider the myriad cyberattacks in the news within the past few years. Often, the breach originated from third-party vendors and contractors. The uncomfortable truth is that any time a new external user has access to a company’s critical data, there is the inherent risk that they will become the next attack vector.

But third-party contractors are an integral part of any organization’s labor ecosystem, one that they cannot afford to simply remove. It’s up to CISOs and their teams to ensure these parties are working securely and productively, regardless of their device. This requires a comprehensive approach that allows contractors to get to work quickly, empowering them to become a productive solution, not a costly problem. This strategy should include:

Access Simplicity: Ensuring contractor access to critical applications should require minutes of effort versus months or weeks of costly provisioning work. In addition, access should require no training for the contractor beyond a simple URL and credential to the resources they need to perform their duties.
Deep Forensic Auditability: The organization’s cybersecurity team should have deep visibility into how and when their third-party users are accessing their system. This should include interactions with any aspects of applications, even down to forensic screenshots of critical application areas. The granular visibility provided by deep audit logging should provide assurance that they are interacting with the company’s data and applications appropriately and safely while remaining productive in the process.
Last Mile Control: Cybersecurity teams require advanced controls at the point where users actually interact with the applications to ensure all users, including contractors, are working with critical application data appropriately. This includes controlling copy/paste actions, file downloads, screenshots, printing, and saving content, among others. Such controls should not impede user work; rather, they should ensure they can work in their fluid, natural way across applications.
Flexible Application Workflows: Organizations may have unique use-cases requiring security measures or productivity workflows that are specific to their needs. Capabilities should exist to easily assert new business logic (such as two-factor authentication) without requiring underlying application modification. This is particularly important when internal legacy applications are being used where application changes are often frowned upon.
Centralized Governing Policy: Centralized management should allow cybersecurity teams to easily define a breadth of policies per user, device, application, network and location, ensuring contractors only have access to what they need and do not inadvertently put company data at risk.

Solving the Contractor Device Dilemma Once and For All

Contractors and third-party resources have become many organizations’ not-so-secret weapons by opening up additional avenues to access much-needed talent. They allow organizations to stay competitive without adding to or overburdening their existing headcount, making them an indispensable part of the modern workplace. But they also bring a wide variety of unique challenges. With a modern approach to governing contractor access, CISOs can safely embrace this strategy while simultaneously simplifying and reducing the cost of the entire effort, which is a win for everyone.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.