Is COVID-19 a Threat to Cybersecurity? Managing Non-Employee Access in Times of Crisis
Placing workers on furlough or conducting layoffs during the COVID-19 crisis is many organizations’ worst-case scenario, but it is increasingly becoming a reality as management teams respond to the shifting global economy.
While making workforce changes is always challenging, it is further complicated when that workforce includes non-employees, also known as “third parties” or “contractors.” Failing to properly manage security protocols after non-employee roles have been furloughed or eliminated can cause risk threats to skyrocket.
Below, Dave Pignolet, CEO and cofounder of identity management firm SecZetta, offers insight into how organizations can best manage their non-employee risk strategies in times of crisis.
Recruiter.com: What makes a worker part of a “non-employee” population?
Dave Pignolet: We classify non-employees as any third parties who are not part of an organization’s full-time employee (FTE) population. This includes vendor employees and partners, contractors, freelancers, volunteers, and even nontraditional workers such as bots. While these non-employees are uniquely valuable, they must be viewed differently than an organization’s permanent workforce when it comes to security.
RC: What makes this network of workers unique from a security perspective?
DP: First, it is important to understand that non-employee populations have increasingly become part of core business operations and competitive strategies. As such, they are granted the same — and at times greater — levels of access as some of the organization’s FTEs.
While some organizations do evaluate the risk of their third-party partners and vendors, they typically only assess whether these companies have sufficient security controls in place and do not actually review the individuals to whom they will be granting access. This practice increases risk exposure because organizations lack critical information about non-employees. HR systems provide data for each FTE, but there are no analogous systems of record for non-employees. Essentially, many organizations are giving insider access to outsiders about whom they know very little.
RC: Why do non-employees pose an exceptional threat to organizations during periods of fluctuation?
DP: During periods of fluctuation, organizational priorities can shift quickly, leading to projects being postponed or even canceled. Organizations need to conduct regular audits — especially in times of fluctuation —of their non-employee resources to ensure least privilege. If a project has been postponed or canceled, the associated non-employees’ access should be terminated. If not, the organization may inadvertently create overprivileged users and orphaned accounts, unnecessarily expanding the organization’s attack surface.
RC: How can an organization ensure that non-employee access is effectively managed when furloughs and layoffs are an increasingly common reality?
DP:It starts with knowing your non-employees. According to a 2018 Ponemon Institute survey, only a little more than a third of organizations have a list of all third parties with which they share sensitive information. Organizations must create systems of record to maintain critical information on every individual non-employee who has access to their facilities and systems. This is the only way that proper tracking of relationships can be done to ensure that non-employees are given only the access they require for appropriate periods of time.
I also recommend operating with a “zero-trust approach.” Organizations must operate under the assumption of no trust when it comes to non-employees, always ensuring least privilege. A zero-trust approach must be carried out while simultaneously making identity-level decisions for each non-employee. Organizations need to centrally track and manage relationships with non-employees and the access to enterprise assets they require on a more micro scale than just the vendor or partner level. A careful combination of these objectives ensures that non-employees are individually assessed to grant the least amount of access necessary, lowering their overall risk.
Finally, I suggest prioritizing regular audit and reverification practices. Audits must be conducted regularly to ensure secure access is granted and revoked to each non-employee in a timely manner. Having non-employees reconfirm their status with reverification exercises during the duration of a project establishes proper access is given only to those who require it when they need it.
RC: How can HR and IT leaders work together to ensure a secure process for deprovisioning access for furloughed and laid-off workers?
DP: Leaders need to work together to ensure that automated workflows have been created to deprovision access that is deemed no longer needed after audits are completed.
However, it is also important to prepare for the future. By using collaboration hubs to collect critical data for non-employees, HR and IT leaders can create an authoritative source of non-employee data that will be essential in effectively automating the onboarding process when it is time to re-engage with non-employees. With this, an organization not only saves time but also ensures that management teams are in a stronger position to keep track of data in a central location to stay prepared for the future.
RC: Who is ultimately responsible for overseeing the management of non-employees?
DP: The organizational sponsor or owner of a project is ultimately responsible for the non-employee resources associated with their projects. HR and IT must partner with that individual or line of business to ensure adequate information is collected about the non-employee resources, proper access is granted, and the network and systems remain secure. This requires transparency between departments into the dynamic relationships that they often have with non-employees.
With this collaborative approach, a non-employee system of record can be used to conduct risk ratings for individual workers. Insights from these types of exercises can ensure that HR and IT are aligned on granting and revoking access to particular individuals. This process is critical in reducing the risk of over-provisioning users, meeting access verification and compliance needs, and supporting timely termination of access.
Because non-employees are widely acknowledged by security professionals as high risk, special consideration must be taken at the individual-identity level when providing insider access to facilities, systems, and data. With the right tools, an organization’s leaders can confidently make informed decisions on the access needs of non-employee workers in times of crisis.