There is no doubt that the workforce at least here in Corporate America is starting to become a very diverse one. I don’t mean this from an ethnic or nationality point of view, but rather from the standpoint of how many different classifications of employees are out there.
For example, you have the direct hires, you have the contractors, the W-2’s, the 1099’s, the sub-contractors, the third-party vendors, freelancers, virtual and remote workers, you name it. It’s all there.
Because of all these different categories and classifications, it can be very confusing for any employer to keep track of all of this. Of course, one could say the easiest way is to just to hire one class of workers, such as just all direct hires or just all contractors that work on a W-2 basis. But as you know, this is a lot easier said than done.
For example, while the normal tendency has been to procure direct hire employees, Corporate America is now shifting to hiring more of the contractors and the freelancers. One of the primary reasons for this is that is cost savings. After all, with the latter, you don’t have to pay any benefits.
You just have to pay the hourly rate and that’s it. Another reason is that once a project is over, you can easily terminate the relationship with the contractor or the freelancer. You don’t have to keep them on during down times, and you can bring them back on again once a new project starts up again.
But despite the advantages that contractors and freelancers (also known as “3rd Party Workers”) bring to the table, they are also being blamed for one other serious matter: They are being viewed now as a serious Security threat to businesses and corporations. This is at least according to a recent survey that was conducted by an entity known as Endera, which is entitled: “Security Executives on the Future of Insider Threat Management.”
Here are some of the findings of it, which needless to are somewhat startling:
*87% of the respondents claim that 87% of contractors and freelancers are the cause of increased levels of Cybersecurity risk;
*There are at least three workforce Security related incidents a week – this comes to a to a grand total of156 incidents per year;
*64% of the respondents claim that Supply Chain contractors are also a major cause for the increased Cybersecurity risk;
*55% of the respondents are trying to contain the number of Cyber related incidents that can be attributed contractor and/or freelancer negligence;
*40% of the respondents have lost confidence in their organization’s ability to keep them safe from Cybersecurity threats;
*75% of the respondents conduct the relevant background checks prior to hiring contractors and freelancers, but only 48% report that these checks are continue on a random basis after work starts on the project;
*73% of the respondents have their contractors and freelancers engage directly with the client, which can also be viewed as a serious Security risk.
In terms of specific Cybersecurity threats, the following was cited:
*86% of the respondents felt that device theft or loss was the biggest issue;
*Next in line was fraud at 80% of the respondents claiming this;
*The third most serious risk are threats from the external environment, namely the Cyberattacks such as Ransomware, BEC, Cryptomining, etc. This came in at 74% of the respondents.
My thoughts on this?
This is an issue that I believe I even touched upon earlier last year. Remember, we live in a world now where a company can hire anybody in any geographic part of the world, because of the remote connectivity and interconnectedness that we have. This can be termed now appropriately as the “Gig Economy”. All of these risks that are attributed to freelancers and contractors fall under one lose, generic term which is technically known as “Insider Threats”.
But really in the end, even the direct hire employees can be just as much of a Security as the contractors and the freelancers. One cannot differentiate which employee class is more of a threat or not in these instances, because in the end, everybody to some degree has access to company property and IT Assets. Insider Threats are very difficult to recognize, or even recognize that they are happening once they have been initiated.
In some ways, Insider Threats are even more difficult to track down than the sophisticated Cyberattacks such as that of Ransomware. There really is no easy answer to this, and really, as much as I hate to say it, there is no one size fits all solution. In this aspect, I am by no means an HR expert, but I can offer some tips from the Cybersecurity perspective:
*Make sure that all of your employees (which yes, includes even the contractors and the freelancers) are aware of any penalties that you may invoke if they violate any part of your Security Policies. Don’t even be afraid to mention reporting the to law enforcement in the infractions are that serious – but remember, you have to have the evidence to back this up completely. Otherwise, you could find yourself in a serious lawsuit. Always consult with an attorney before actually going down this route.
*Limit the access that your employees have to IT and Network Infrastructure resources. Assign only those permissions that are absolutely needed for your employees to conduct their everyday job tasks. Also, on a regular basis (probably about once a quarter), keep reviewing those permission levels that you have assigned to make sure that they are consistent with your Security Policies. Make sure that you keep an audit of log of very single log in and log out activity, in order to track down any suspicious behavior.
*If you have a remote workforce, make sure that that they the equipment they are to use are the ones issued by you. Under no circumstances should their use their own Smartphone to conduct work related matters. And, when you do issue these devices, it is your responsibility as the business owner or as a member of upper level management to make sure that it is outfitted with the latest Security tools and software applications (such as the Antivirus/Antimalware/AntiSpyWare stuff). Also, make sure that you provide VPN services, 2FA, and that the endpoints are secure.
*Keep open a 24-hour hotline open so that any suspicious behavior or activity can be reported upon.
*When it comes to doing background checks, this is becoming much more of a gray area. Yes, it is important to conduct them, but if somebody has a clean record, what is stopping them from engaging in conducting Insider Attacks after you bring them on board? Even according to this survey, 48% of the respondents feel that the background checks they conduct aren’t detailed enough, and another 84% have reported that they don’t make use of background checks effectively enough. Only 11% of the respondents conduct post background checks on a regular basis. But once again, background checks can’t stop an employee from launching an Insider Attacker if they really want to.
So, as you can see, trying to flag down employees that could be involved in malicious activities from inside the workplace is a very difficult thing to spot. But perhaps as Artificial Intelligence (AI) and Machine Learning (ML) now start to make their way into Cybersecurity, perhaps there will be more sophisticated ways to detect any anomalies or suspicious behavior.