Are you putting information at risk by using contractors?


This article can also be found in the Premium Editorial Download "Information Security magazine: Nine tips to guarding your intellectual property."

Download it now to read this article plus other related content.

When Contractors go Bad

    Requires Free Membership to View

Here is a sampling of incidents involving contractors either losing, stealing or accidentally exposing client data.
Source: Privacy Rights Clearinghouse

  • February 16, 2006
    Blue Cross and Blue Shield of Florida:
    Contractor sends names and Social Security numbers of current and former employees, vendors and contractors to his home computer in violation of company policies.
  • May 30, 2006
    Texas Guaranteed Student Loan Corp.:
    Employee at Hummingbird, a subcontractor for Texas Guaranteed, loses a piece of equipment containing names and Social Security numbers of TG borrowers.
  • June 2, 2006
    Ahold USA:
    During a commercial flight, an EDS employee loses a laptop that contains pension data of former employees of Ahold's supermarket chains, including Social Security numbers, birth dates and benefit amounts.
  • July 29, 2006
    Sentry Insurance:
    Personal information on workers' compensation claimants is stolen, and some later sold on the Internet. Thief was a lead programmer-consultant who had access to claimants' data.
  • August 4, 2006
    Toyota plant in Texas:
    Laptop belonging to contractor and containing personal information of job applicants and employees is stolen. Data includes names and Social Security numbers.
  • September 5, 2006
    Transportation Security Administration (TSA):
    Accenture, a contractor for TSA, mails documents containing former employees' Social Security numbers, dates of birth and salary information to the wrong addresses due to an administrative error.
  • October 23, 2006
    Sisters of St. Francis Health Services:
    A contractor working for medical billing records firm Advanced Receivables Strategy misplaces CDs containing unencrypted personal information of 266,200 St. Francis patients, employees and physicians.
  • December 14, 2006
    Bank of America:
    A former contractor for Bank of America accesses--without authorization--the personal information of an undisclosed number of customers in order to commit fraud.

Too Close for Comfort
While an organization may have a robust and effective perimeter security architecture, it becomes of little value when we hire contractors and allow them access into the network either onsite or remotely. Once inside the security perimeter, they can freely navigate company systems and networks, often with little monitoring.

In many cases, contractors are employed for only a short time and not always subject to the same scrutiny as new employees, and are often hired because of inadequate internal resources or competencies. In either scenario, the contractor is immediately placed in a potentially powerful position because their expertise is probably superior to anyone on staff.

Compounding this, contractors are often hired to perform extremely sensitive work, such as programming, systems administration and network security.

In addition, a trend toward longer-term arrangements with third parties can compound the risk, says Pete van de Gohm, CISO of Bayer, North America: "Longer-term contractors can be mistaken to be corporate employees by both outsiders and insiders." This familiarity tends to result in a company giving a contractor even more access to sensitive information.

Over time, continued reliance on an individual contractor will increase the risk to an organization and the consultant becomes more difficult to replace or terminate--a phenomenon that can be called "dependency risk." As the contractor becomes more entrenched, there is a tendency to provide less oversight. As dependency grows, unscrupulous contractors may exploit the company's overreliance by intimidating it with threats of sudden departure or worse.

And of course, there is always the threat of thieves who work under the guise of short-term employment in order to purposefully infiltrate an organization and steal data or conduct corporate espionage.

This was first published in May 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: