You work with them every day, but you’ve never seen their face. You’re not really sure what they do, or if they even count as your coworker. You wonder what they’re getting paid, what their hours are. Do they even have a company login?
The working world is ever-expanding, and your organization’s attack surface with it. Usually we talk about assets — data, PHI, and other valuable information that cybercriminals can snatch up and sell on the black market. Having a strong human firewall, or an informed base of employees with cyber-smarts, is critical to your defense.
But what about employees who aren’t obliged to complete security awareness training or even follow basic security protocols your day-to-day staff live by — yet they have access to critical systems and data just the same?
What about non-employees?
Let’s get to know these cogs in your machine, learn more about the potential risks they pose, and discuss effective mitigation strategies for this elusive threat.
Get serious about cyber defense.
The Anonymous Ones
Non-employees are on the rise; McKinsey reports their percentage in the workforce is up to 36% from 27% in 2016. The term “non-employee” describes a person or entity whose labor contributes to the company, but who is not officially employed by the employer. Think of someone who is compensated for their services without receiving benefits or being entirely in the company fold. Independent contractors, freelancers, and vendors are all examples of non-employees. And just as an organization’s terminology for their non-employees can vary, so can the nature of the contracted relationship. In other words, a freelancer may not have to agree to the same terms as a vendor.
There are a few notable differences between employees and non-employees, but we’re going to touch on two: regulatory and behavioral.
From a regulatory perspective, that means that while you, the organization, may be up to code with regulatory standards (HIPAA for a hospital, for instance), the non-employee does not necessarily have to be.
From a behavioral perspective, that means that the non-employee will not always be subject to the same culture, training, and expectations as the organization’s employees — including, for instance, a culture of cybersecurity awareness.
Everyone’s An Endpoint
As an organization expands its reach, it will inevitably populate with more endpoints. The more data you process, the more customers you serve, clients you take on, employees you hire, the more vulnerable you become to cybercriminals.
Unfortunately, that reach doesn’t have an official cutoff. Everyone who interacts with your organization can be a potential breach factor, whether it’s the pitfalls of the IoT or human error giving way to substantial consequences.
The news often refers to these incidents as “third-party breaches,” but the truth is that responsibility lies with the third party and the organization alike. It’s on you to secure and manage non-employee identities. You’ve adapted your risk management policies to address a variety of situations and assets — you can, and must, do the same to address users with different levels of privilege and access.
It’s understandably difficult for an IT team to coordinate onboarding for a unique entity. A common go-to strategy is to standardize a company account with more permissions than it needs, but that presents a golden opportunity for hackers and puts the organization at even more risk.
So, how do you treat a non-employee in your sensitive digital landscape?
You don’t have to create a separate account for every single non-employee you work with, but it’s a good idea to standardize a few accounts based on roles. These accounts should have permissions specific to those roles, and all permissions should have an end date. This way no account is sitting idle for a malicious actor to take advantage.
To avoid precisely that, you may choose to set up a system that alerts when a previously active account is being used. Accounts with permissions that have expired can be flagged and investigated before they get too far into your network.
Similarly, so you don’t lose track of your non-employee identities, you can set up a validation process to routinely check in with non-employees and affirm that they are still active with your organization. If not, you can deactivate the account and remove the permissions, assuring that one endpoint has been safely sealed off.
If you have the resources, you may consider supplying cybersecurity training. This can be as simple as including clauses in your contract; for instance, all communications must be through company email and chat servers.
You can also include non-employees in routine security awareness checks, such as sending out a deliberately suspicious email and encouraging your team to report them when they appear. Assess their base level of knowledge on cyber-threats — do they know what a phishing email is, or ransomware? Can they identify crucial warning signs?
As a handy resource, as well as a step forward for your company’s cyber-safe culture, you can create an IT security checklist for employees and non-employees alike. Performing regular backups and encryptions, completing updates in a timely manner, password-protecting your devices with 2FA, and using a VPN are all simple tasks that ensure better overall tech health, as well as decrease the risk to your organization.
The evolving workforce doesn’t have to be a threat. You can rise to the occasion with a flexible IT team and effective risk management that ensures you’ll always have a safety net — just in case.
Keep Your Eyes Open
Want to keep your human endpoints on lock? It’s a team effort, and we’re ready to lend our award-winning expertise.
BAI Security’s Social Engineering Evaluation evaluates your home team’s security awareness, while our Vendor Management Risk Assessment assesses your external technology providers, making sure your TSPs (Technology Service Providers) are held to the same high standards that keep your organization safe.
Let’s get in touch to validate your security today!