The use of contract labor – commonly referred to as the “gig economy” – gets you nowhere. In fact, it’s growing. Researchers estimate that there will be 78 million workers participating in the workforce as contract workers by 2023, up from 43 million in 2018. workers than ever before. It’s easy to see why they’re appealing to organizations that value flexibility, but they can also create security issues. Government entities need to understand the potential risk of working with contracted vendors and companies that are overly dependent on third-party workers.
Third Party Access Issues
Not so long ago, supplier risk management involved asking a supplier to complete a standardized information collection (SIG) questionnaire, ensuring that the supplier agreed to certain contractual terms regarding security and risks and possibly update the questionnaire on an annual basis. But in recent years, high-profile breaches at companies like Target, Marriott, and even the Red Cross have stemmed from security incidents involving third-party workers. These breaches have drawn attention to the need to more carefully assess the security of third parties who have access to sensitive employee data in private and public sector entities.
Unfortunately, third party access often falls through the cracks. In many organizations, HR is primarily employee driven. Procurement teams work on contracts, but often have limited (or no) contact with the people supplied under those agreements. IT focuses on granting and removing access, but not necessarily on compliance. Additionally, contractor sponsors often do not have the time to specify precise definitions of access rights. This means that contractors are frequently onboarded by copying the same access that a previous contractor had. Over time, this can lead to excessive privileges or “permission bloat”.
While there has been movement towards creating a unified cybersecurity standard for government contractors, there remain few designated roles explicitly focused on vendor risk management – this is in a “no man’s land” between departments. And even when a vendor risk management service exists, it is often disconnected from provisioning and access monitoring. It’s not always easy to know exactly what permissions non-employees should have.
Improved third-party access standards
The solution starts with ensuring third parties have the right level of access for their responsibilities. This means that government agencies must be able to positively identify each contractor, verifying that they are who they claim to be. Given the number of identities organizations today deal with, automating the access process through AI-powered approvals, workflows, and birthrights can both streamline the process and eliminate human error.
Adopting modern identity governance practices can also help organizations comply with standards such as the Cybersecurity Maturity Model Certification (CMMC) program used by the Department of Defense. This allows third-party contractors who do business with government agencies to provide binding assurances that cybersecurity measures have been complied with.
It’s important to note that there is no “set it and forget it” solution for third-party security. Organizations should monitor these identities to ensure ongoing compliance. It is not uncommon, or even so unusual, for vendors or other organizations supplying third-party workers to circumvent system boundaries. For example, some companies allow employees to share their login credentials to hide the number of workers involved in a given account. Worse, it is sometimes used to hide the fact that contractors may use a revolving door of temporary workers rather than dedicated staff. This creates obvious security risks, especially for agencies working with highly sensitive information. The government needs to know who has access to its systems.
Gig workers and beyond
Government organizations must remain alert to systemic risk. More and more workers are embracing the gig economy. Even if your agency doesn’t use them, you can be sure to have partners who do. And while there are tools available today that can examine login behavior to detect anomalies, these are not enough. Individual contract workers can create significant security risks, but mitigating this issue is only part of the larger issue of third-party security – and meeting this challenge means access management will continue. to be an integral part of any identity security program for the public and private sectors. entities.