Managing cyber risks in the gig economy
13 December 2016
In our previous post we discussed how people can be the weak link in your organisation’s cyber security strategy, whether this comes from them misplacing laptops or hard documents, to clicking on suspicious links in emails. Many organisations are ensuring that their employees are being trained to avoid these issues, but are you sure that your Contractors aren’t slipping through the net? Are your Contractors and other third parties trained and vigilant and held to the same expectations as your employees?
This year’s Global State of Information Security survey showed that compared to last year we are looking at an increase in the rise of incidents attributed to Service Providers, Contractors and Suppliers. So how can we aim to reduce the amount of incidents that they can cause?
Do your third party employees know the cyber security rules?
Third party employees may not always feel they are a true part of the organisation, therefore specific actions must be taken to ensure that they understand and respect the expectations upon them to keep information secure. Their contracts must clearly spell out cyber security requirements and this must be supported by and robust onboarding, training and communications.
As third parties ourselves, we often work from our client’s offices and handle confidential information; despite having our own tight guidelines in place, it is rare to be asked to undertake our client’s own cyber security training or attend an onboarding session where expectations might be discussed.
Are your contractors asked to complete your mandatory training? If not, how do they know what your security expectations are? If so, who tracks whether all training has been completed and understood?
Who has access to what?
Access to systems should be on a “need to know” basis when it comes to third parties (and other employees too), to reduce the risk of lost revenue and damage to the brand and customer relationships. Strict access governance can help ensure that during a third parties’ lifecycle any changes in their role, e.g. moving to a new role or termination, is reflected in their security access. Effective access governance can come from a combination of processes, policies and software that enforces the monitoring and managing of security rights, as well as using automation to ensure changes and removal of access rights occurs in a timely manner.
But managing access rights depends on reliable people data, for instance:
When a contractor ends their contract a few weeks early, who in your organisation makes sure their systems access is revoked?
When a contractor changes roles, whose responsibility is it to remove the systems access they needed for their old role?
Who worries about potential third party security risks?
All transactions and operations being carried out by third party employees must be compliant with your own security standards, which means making sure that all of your people know how to contract with and manage third party employees safely.
With the rise of the ‘gig economy’, reliance on third parties is only expected to grow. So it is crucial to ensure that digital trust is built into your working relationships and is not considered as simply the role of IT or HR.
Do your employees consider cyber security risks when they employee third party employees?