The rise of the gig economy and increasing prevalence of remote work have seriously impacted the way businesses hire and manage their employees. Contract work has become more common. More businesses are turning to third-party vendors to meet specific needs. The average employee today has been tenured for less than four years, according to the Bureau of Labor Statistics. For all that has been made of the “Great Resignation,” people today are simply more comfortable changing jobs than in the past.
These changes aren’t necessarily bad — in fact, most companies would say the increased availability of gig and contract workers has afforded them valuable flexibility. But the impermanence of today’s workforce has also forced them to change the way they think about security. There are heightened security risks associated with managing the identities of contract employees, freelancers, and other non-employees. High turnover rates, unclear access needs, and nebulous employment status often plague these positions, creating vulnerabilities that today’s attackers are only too happy to exploit. At a time when identity-based attacks continue to rise, businesses need a plan to address the changing security needs of the modern workforce.
Identity in the gig economy
It's important to understand why identities are such a popular target for today’s cybercriminals. Today, most businesses have tens — or even hundreds — of thousands of identities to manage, ranging from user and device identities to servers and cloud apps. Each identity has specific needs, including which systems or areas of the network it should be allowed to access. Security teams often find managing that access a significant challenge at today’s scale — it simply not possible to manually configure permissions for hundreds of thousands of identities.
Even so, managing identities means having a clear understanding of the different roles within the organization and what data they might need to access. Overprovisioning remains a serious challenge, for the simple reason that it’s more convenient to grant too many permissions than too few. If a user needs to constantly ask the IT department for access to certain systems or databases, it has a negative impact on productivity both for the user and the IT professional forced to field those requests. Unfortunately, too many businesses address this by granting access much broader access than actually required.
And it’s particularly true when it comes to contract workers. When a business brings on a contractor, they expect very fast productivity out of them. That means making sure they have access to the resources they need from the jump, which makes them prime candidates for overprovisioning. Worse still, contractors don’t receive the same level of training that full-time employees do, which means they probably aren’t as familiar with the security policies and procedures in place. This creates a dangerous level of risk — and attackers know it. A single contract worker whose identity has more entitlements than it needs can represent a gold mine for attackers.
Three ways to improve contract worker security
How, then, should businesses approach identity security amid the rise of contract work? Businesses don’t need to rethink their approach to identity from the ground up — but there are a number of specific steps they can take to ensure that contract workers have the oversight necessary to avoid creating unnecessary risk. Here are three steps companies can take:
- Ensure that every contract worker has a sponsor: Too often, businesses wind up with dozens of contractors operating under the supposed oversight of a single person charged with doing the necessary paperwork and making sure their hours are submitted. This approach paints sponsorship as more of an administrative task than one focused on actual governance. No more — each contract worker needs an individual sponsor who understands the scope and boundaries of that contractor’s job. This individualized attention ensures that appropriate permissions are set. It also ensures that if the contractor does need to ask their sponsor for additional access, that sponsor has a solid understanding of whether it’s a justified or necessary request.
- Assign contractors projects that have a specific set of entitlements associated with them: Sponsors can help define those roles by dictating what the entitlements are. A company working with a third-party human relations consultant might grant an associated contractor access to databases containing employee records, or to certain payroll information. If a new contractor joins the same project, apply those same permissions to them. Most businesses already create roles like this for regular employees, but contractors rarely receive the same treatment. Establishing roles with predefined sets of entitlements doesn’t just improve security—it streamlines the onboarding process.
- Include contract workers in their periodic recertifications: That means auditing usage: if a contractor has access permissions they never use, remove that access from their set of entitlements. There are identity management solutions that are capable of monitoring usage and adjusting permissions on a continuous basis, but it’s still a good idea for businesses to regularly examine and recertify contract worker access. Over time, things will change. Sometimes a contractor gets terminated early. Other times, the project they’re working on might take significantly longer than intended. Making sure a contractor no longer working with the company doesn’t still have access to sensitive materials is critical. It’s also important to ensure that contractors still actively engaged in essential work don’t lose the access they need. Recertification on a quarterly (or more frequent basis) can help avoid these pitfalls.
When organizations bring on contract workers, they often look to get them up and running as quickly as possible. That’s not a bad goal — but companies need to do it in a way that promotes security. By taking the three steps I outlined, organizations can create a sustainable system through which to onboard and effectively provision contract workers, and to ensure that their permissions and entitlements remain appropriate for the duration of their work. The gig economy isn’t going anywhere and attackers recognize the relative vulnerability of contractor identities. That’s why companies must make a plan to navigate the changing workforce in a secure manner a top priority.
Grady Summers, executive vice president of product, SailPoint
