How much access should you give contractors to corporate data?

The gig economy is growing at a phenomenal rate, with over a quarter of UK companies now relying on freelancers for core business tasks. Their prominence is only likely to rise, with 55% of enterprises intending to increase their use of freelancers in the future. As a cost-effective way to gain expert contributions on a temporary basis, the system is particularly useful for project-based work.

However, there is a downside which can have serious repercussions for businesses. Temporary employees can inadvertently pose a threat to the safety of corporate data. In order to carry out their jobs, contractors will likely need access to corporate systems and information. Unfortunately, this makes contractors and freelancers working remotely an easy target for cybercriminals. Some of the most disastrous data breaches in recent years have occurred via third-party workers. In one of the most high profile examples, contractors used by the US Navy were targeted by Chinese hackers in 2018. 

As such, it is certainly sensible to limit the level of access contractors have to corporate data. But how do you do this without restricting them from doing their jobs?

Adopt a Zero Trust approach to cybersecurity

One solution is to adopt a Zero Trust strategy, which is where IT teams shift away from the mentality of trust but verify, to never trust, always verify. Traditionally, users connecting to resources within a company network are implicitly trusted. The logic behind this is that if someone is connecting onsite, then they are doing so from a trusted location and can thus be trusted. However, this approach fails to account for insider threats, as well as those threats that have already penetrated the corporate perimeter. A Zero Trust methodology mandates that everybody—including contractors—should be subject to the same robust verification procedures before they’re granted access to a company system.

A notable example of a Zero Trust model is Google’s BeyondCorp initiative, which shifts access controls from the network perimeter to individual devices and users. This means that anyone wanting to access company resources, from inside or outside its network (such as contractors via VPNs), must be approved in order to do so. As such, connecting from inside the company network does not determine which resources users can access, as is usually the case. This is instead granted on the basis of what the company already knows about the user and their device.

What does a Zero Trust approach entail?

One important component of a Zero Trust strategy is multi-factor authentication (MFA), where multiple layers of authentication are required for employees and contractors to access company resources, instead of only using one form of identity verification, such as passwords. So, even if an attacker learns a user’s password, it will be useless without knowledge of the other authentication methods, such as a PIN, personal question or access to a particular device. Considering that millions still use weak passwords, implementing an MFA strategy is invaluable to keeping company data safe.

Once a user’s identity is verified, Zero Trust then focuses on restricting your company’s attack surface, which can be achieved through identity and access management (IAM) processes. Instead of granting workers complete access to resources, and the freedom to perform any function they like, users are provisioned access on a ‘least privilege’ basis—only those privileges essential to the individual’s intended function. This mitigates a company’s attack surface by limiting lateral movement as well as access by entities already on the network.

To this end, contractors are only granted access to the resources they need, and nothing more, which helps your business to keep its data safe. This level of access would likely be limited, due to the temporary nature of their roles. An expiry date is also typically put in place to ensure that freelancers do not have permanent access to your systems and would have to request an extension to work beyond this. What’s more, with identity and access management controls in place, it enables companies to have more of a systematic approach to third-party access management. 

How to implement a Zero Trust strategy

To put an IAM strategy into practice, both full-time employees and contractors will need to have their roles clearly defined, and you’ll have to invest in appropriate technology solutions. These will either replace or be integrated with existing access and sign-on systems that currently allow users blanket access to resources. Your company would instead operate using a central directory of users, roles, and inputted permission levels that grant users the correct access rights.

Importantly, the technology must be able to store, identify and profile their data, plus have data governance capabilities so that only necessary and relevant data is shared. A comprehensive IAM strategy should include reporting and monitoring apps, password-management tools, and provisioning software.

While it is undoubtedly difficult to implement a Zero Trust model, requiring meticulous planning and comprehensive analysis of current security practices to identify weak points, the protection it provides is certainly worthwhile. By fending off all cybersecurity threats, rather than just those posed by temporary workers, your company will be much better placed to keep its information secure.