Another reason is that the access of third parties is not always tracked as well as it is with regular employees. "Based on a relationship's longevity and personal interactions, third-party trust levels sometimes meet or exceed the level of insider trust," Ulsch wrote.
Trulove agrees. "They are not salaried employees, so they often bypass HR when entering an organization and are not tracked through any centralized system," he said. "Ironically, a lot of contractors have the same access as a permanent employee — or even deeper access in cases where an IT function is being outsourced."
A third is that outsiders generally bring their own hardware and software with them, which has, and will continue to be, used in other networks that may not have been secure — something experts call "poor hygiene."
That problem can be exacerbated by the reality that companies focus more on cost than on security when outsourcing services. James Arlen, senior security consultant with the Leviathan Security Group, calls it a "maturity gap," where companies outsource to vendors that are "lean, mean and cheap ... but are the weak link through which bad things happen."
And according to Trulove, the use of third parties is increasing. He cited statistics that show contract workers have increased from less than a half of 1% to 2.3% since the 1980s; and that 42% of employers intend to hire temporary or contract workers this year — up 14% over the past five years.
How can companies lower those risks. There are a number of ways. Among the basics are to change the passwords on every connected device a company and its contractors buy and to use both risk-based and multi-factor authentication — the kinds of things Arlen calls "Infosec 101."
There is obviously much more to good security than that, he said, "but we are not doing a good job of the basics, which we've known in detail for the last 15 years."
Beyond the basics, experts say it is mandatory for companies to pay much closer attention to their contracts with third parties — Service Level Agreements (SLA) or Business Associate Agreements (BAA).
Ulsch wrote that those contracts should, at a minimum, address the following components:
- Information security;
- Information privacy;
- Threat and risk analysis;
- Compliance obligation range;
- Enforcement mechanisms;
- Internal audit access and disclosure requirements;
- Foreign corrupt practices management.
Raether and Ganow recommend that a BAA should require third-party contractors to, "comply with the same security framework imposed within the company." And, "where appropriate, companies should secure the right to audit their third party contractors and then actually complete such audits."
Trulove offered several recommendations for what he called a, "governance based identity management strategy," that include:
Sign up for CIO Asia eNewsletters.