It’s no understatement to say the past few years have been challenging from a workforce management perspective. COVID-19 presented companies with an unprecedented situation, which gave rise to the Great Resignation and quiet quitting. And just as the pandemic is finally in the rearview, political and economic uncertainty have many worried about a potential recession and widespread layoffs.
While there have been examples of the latter in the tech sector, overall the country’s jobless rate is near the lowest level in more than half a century. The coming months will determine whether the labor market will slow, but in the meantime, companies must find a way to deal with the productivity gaps introduced by these recent challenges.
Increasingly, organizations are looking to consultants and other external groups for help but it’s imperative that they are cognizant of the security vulnerabilities that often accompany this approach. The following are common threat vectors hackers are only too eager to exploit:
Use of public or unsecure Wi-Fi
Freelancers and consultants tend to be fairly mobile, often working on the road, at a coffee shop or from an industry conference. It’s also relatively common for these individuals to rent office space or work from a shared collaborative workspace. Most, if not all, of these locations offer public or unsecured Wi-Fi which can provide threat actors with an easy access point into an enterprise network should a consultant be utilizing the connection for business activities. Whenever possible, consultants should avoid using a public Wi-Fi network but if they must do so it’s essential that they utilize a VPN to access any sensitive corporate resources.
Mandating the use of a VPN is also a good security practice even if consultants are operating solely out of their home. Connected devices like smart TVs or baby monitors can introduce numerous vulnerabilities, and there is also the chance that other residents could unintentionally download malware on the home network.
“Keys to the kingdom” access
Companies must be cognizant of access permissions and ensure that external groups can only use systems and applications they need — and nothing more. Shadow IT can complicate this issue for many organizations, as various departments may be granting consultants access to systems without IT’s knowledge. That’s why companies should first take steps to mitigate shadow IT and educate department heads on the importance of having IT manage access permissions for external groups. It's also essential that organizations immediately cut off access after parting ways with a freelancer or consultant and periodically audit to confirm that no former contractors still have access permissions. Single sign-on (SS0) systems can help enterprises address these issues, as they make it much easier to globally disable access and control/audit what access employees and consultants have.
Poor password hygiene
Poor password practices such as selecting weak, easily guessable passwords and reusing them across multiple accounts is another vulnerability organizations must combat. Studies have documented that at least 71% of people engage in this security misstep, which is one of the reasons why credentials have enjoyed enduring popularity as a threat vector. Case in point, the most recent Verizon Data Breach Investigations Report found that over 80% of hacking incidents involved the use of stolen credentials. If just one of the sites associated with a reused password has been breached, then all other accounts secured by that password are at risk. Even more common is when users use variants of the same root password, with small changes, across multiple websites. These are just as problematic since an attacker can easily discern a pattern and fuzz through variants to find a match.
Addressing password hygiene is challenging enough in a traditional workplace setting, but it becomes even more difficult when companies are employing various consultants and other third parties. These individuals are more likely to use the same credentials across all client accounts and networks, making it imperative that enterprises implement a credential screening solution. By vetting passwords at every login against a database of exposed credentials, organizations can eliminate the threat of poor password practices, both among their employees and also among all external groups who have access to enterprise systems.
With today’s workforce management challenges showing no sign of abating, companies are understandably eager to onboard contractors. But in their rush to get new talent up to speed it’s essential that organizations don't overlook the unique security concerns that accompany this practice. Taking the time to ensure secure authentication will pay dividends, providing external groups with the appropriate access to corporate systems without leaving the company exposed to opportunistic hackers.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.