This article can also be found in the Premium Editorial Download "Information Security magazine: Nine tips to guarding your intellectual property."
Download it now to read this article plus other related content.
|When Contractors go Bad|
Here is a sampling of incidents involving contractors either losing, stealing or accidentally exposing client data.
Source: Privacy Rights Clearinghouse
Too Close for Comfort
While an organization may have a robust and effective perimeter security architecture, it becomes of little value when we hire contractors and allow them access into the network either onsite or remotely. Once inside the security perimeter, they can freely navigate company systems and networks, often with little monitoring.
In many cases, contractors are employed for only a short time and not always subject to the same scrutiny as new employees, and are often hired because of inadequate internal resources or competencies. In either scenario, the contractor is immediately placed in a potentially powerful position because their expertise is probably superior to anyone on staff.
Compounding this, contractors are often hired to perform extremely sensitive work, such as programming, systems administration and network security.
In addition, a trend toward longer-term arrangements with third parties can compound the risk, says Pete van de Gohm, CISO of Bayer, North America: "Longer-term contractors can be mistaken to be corporate employees by both outsiders and insiders." This familiarity tends to result in a company giving a contractor even more access to sensitive information.
Over time, continued reliance on an individual contractor will increase the risk to an organization and the consultant becomes more difficult to replace or terminate--a phenomenon that can be called "dependency risk." As the contractor becomes more entrenched, there is a tendency to provide less oversight. As dependency grows, unscrupulous contractors may exploit the company's overreliance by intimidating it with threats of sudden departure or worse.
And of course, there is always the threat of thieves who work under the guise of short-term employment in order to purposefully infiltrate an organization and steal data or conduct corporate espionage.
This was first published in May 2007