For the majority of businesses around the globe, hiring contractors is commonplace and often critical to achieving business goals. Contracting allows organisations to employ services that would otherwise be too expensive to invest in, such as security, IT or accounting. Contractors are hired on a temporary basis, as they are not required to fill a permanent position and are often as part of a project. 
However, contracted employees can pose a significant security risk to organisations. Contracting adds another layer of complexity to the security challenge. Working with third parties to ensure proper security can be very difficult and time consuming and third parties can be a very real threat in large attacks. Another attack vector that has been seen making headlines in recent years is unauthorised data breaches coming from the contractors themselves.
In late February 2020, a NSW man employed as a contractor by an Australian sales company was charged over allegedly accessing servers without authorisation. It is alleged that he deleted over 350 illegally obtained files after a court order was issued to access his computer.
Last year, in October of 2019 a Sydney IT contractor employed by a property valuation firm stole the personal details, including property valuations and driver’s licenses of 275,000 individuals and made them readily available on the dark web. The trusted contractor had been employed by the firm for 12 years. It is said that the beach cost the firm at least $8 million.
And this month in March 2020, three contractors working for international courier company, DHL, were found to have been involved in financial misconduct regarding the diplomatic mail service with the Department of Foreign Affairs and Trade (DFAT). DHL provides mail and diplomatic freight services for embassies. This event can have a large impact on the reputation of DHL, and it’s ability to reliably provide embassies with safe and secure mail services.
These reports show that contractors are very capable of conducting malicious acts against their employer, even if they are long-serving contractors and considered to be trustworthy. Managing third-party risks is not a simple matter and takes a significant amount of time and resources to perfect. Vendors, contractors and consultants must be thoroughly vetted before conducting business with them. Their security efforts must match or exceed that of the customer organisation and agreements must be strictly adhered to.
The vetting of contractors should include full background checks, deep research into their online presence, and strict access management to ensure that they cannot access anything other than what they require to complete their job. This is absolutely critical if the contractor is to be given access to high-level business data and assets that could possibly be maliciously used. Feelings of unsatisfaction and issues with their employer are very often the root cause of malicious acts committed by a contractor. Unhappy contractors are also an attack vector for other malicious actors, who are looking for personnel that they can exploit and coerce into committing malicious activity, often for financial gain.
Closely monitoring, logging and regularly reviewing the activity of all third parties plays a very important part in maintaining strong vendor/contractor security.
Taking on third party vendors and contractors in a business is often daunting and risky, and businesses may meet with complex issues that are often difficult to solve in a timely and cost-effective manner. Agilient understands this, and can help. We specialise in providing organisations with strong advice regarding all aspects of business security, including third-party and contractor security. We help organisations develop robust security policies that will aid in defending against 2020’s threats and risks. If you would like to learn more about how we can of assistance, contact us today.
Author: Jack Schofield, Agilient Consultant