Placing workers on furlough or conducting layoffs during the COVID-19 crisis is many organizations’ worst-case scenario, but it is increasingly becoming a reality as management teams respond to the shifting global economy.
While making workforce changes is always challenging, it is further complicated when that workforce includes non-employees, also known as “third parties” or “contractors.” Failing to properly manage security protocols after non-employee roles have been furloughed or eliminated can cause risk threats to skyrocket.
Below, Dave Pignolet, CEO and co-founder of identity management firm SecZetta, offers insight into how organizations can best manage their non-employee risk strategies in times of crisis.
Recruiter.com: What makes a worker part of a “non-employee” population?
Dave Pignolet: We classify non-employees as any third parties who are not part of an organization’s full-time employee (FTE) population. This includes vendor employees and partners, contractors, freelancers, volunteers, and even non-traditional workers such as bots. While these non-employees are uniquely valuable, they must be viewed differently than an organization’s permanent workforce when it comes to security.
RC: What makes this network of workers unique from a security perspective?
DP: First, it is important to understand that non-employee populations have increasingly become part of core business operations and competitive strategies. As such, they are granted the same — and at times greater — levels of access as some of the organization’s FTEs.
While some organizations do evaluate the risk of their third-party partners and vendors, they typically only assess whether these companies have sufficient security controls in place and do not actually review the individuals to whom they will be granting access. This practice increases risk exposure because organizations lack critical information about non-employees. HR systems provide data for each FTE, but there are no analogous systems of record for non-employees. Essentially, many organizations are giving insider access to outsiders about whom they know very little.
RC: Why do non-employees pose an exceptional threat to organizations during periods of fluctuation?
DP: During periods of fluctuation, organizational priorities can shift quickly, leading to projects being postponed or even canceled. Organizations need to conduct regular audits — especially in times of fluctuation —of their non-employee resources to ensure least privilege. If a project has been postponed or canceled, the associated non-employees’ access should be terminated. If not, the organization may inadvertently create overprivileged users and orphaned accounts, unnecessarily expanding the organization’s attack surface.
RC: How can an organization ensure that non-employee access is effectively managed when furloughs and layoffs are an increasingly common reality?
DP: It starts with knowing your non-employees. According to a 2018 Ponemon Institute survey, only a little more than a third of organizations have a list of all third parties with which they share sensitive information. Organizations must create systems of record to maintain critical information on every individual non-employee who has access to their facilities and systems. This is the only way that proper tracking of relationships can be done to ensure that non-employees are given only the access they require for appropriate periods of time.
I also recommend operating with a “zero-trust approach.” Organizations must operate under the assumption of no trust when it comes to non-employees, always ensuring least privilege. A zero-trust approach must be carried out while simultaneously making identity-level decisions for each non-employee. Organizations need to centrally track and manage relationships with non-employees and the access to enterprise assets they require on a more micro-scale than just the vendor or partner level. A careful combination of these objectives ensures that non-employees are individually assessed to grant the least amount of access necessary, lowering their overall risk. Read more here…