If you want to keep your network as secure as possible, don’t let anyone connect to it. That is not particularly practical advice of course. Employees must be allowed access, and when devices are allowed to connect to a network, risk is introduced. There will always be some level of risk involved unless a network is entirely closed, but what about allowing contractors, partners and suppliers to connect? Collaboration is important. If you manage access, there can be great rewards to be gained. However, get contractor security risk management wrong and it could spell disaster.
Contractor security risk management: A choice between access and security
Many companies face a choice. They can opt for productivity and practicality, and accept a reasonably high security risk, or they can make changes to address risk at the expense of productivity. Take U.S. bank Wachovia for example. The bank was one of the largest in the United States, yet during the great recession it took a merger with Wells Fargo to keep it afloat.
How did two banks operating two separate email systems manage to collaborate securely? Wells Fargo used Microsoft Outlook for email, while Wachovia had chosen Lotus Notes. It was possible to send an email between the two, but end users could not send encrypted emails. The solution was to move Wachovia over to Outlook, but this was not a quick and simple a process.
The banks decided changing to one system would cause too many problems and instead they opted to just send unencrypted email. This involved some risk, but it was deemed to be preferable to the nightmare of migrating an entire company over to the new system. They ran Lotus Notes and Outlook together, insecurely, for a number of years. Productivity was deemed to be more important than security in this instance. The decision came down to a simple case of risk over reward, or cost versus benefit.
When it comes to contractor security risk management, you may adopt a similar approach. If the risk is higher than the rewards, then address the risk. If the rewards are higher and the risk fairly low, go with the rewards. To make that decision, you need to have figures. Rewards are relatively easy to calculate in terms of increased profits. Risk may be a little harder to translate into a figure.
Assign a value to risk when developing contractor security risk management strategies
Rewards may be increases in profit, products shipped, reduction in time to market, reduction in wasted hours, or even a fall in support calls. Productivity is defined as output per employee, multiplied by the number of employees. A monetary value is therefore relatively easy to assign.
When developing your contractor security risk management strategies, you must be able to do the same with risk. You will need to determine your output and your input, and for that you will need to follow the COBIT 5 governance framework.
Under COBIT 5, you must maintain a risk profile. Each type of data kept by your company must be assigned a score. The score is determined by the impact loss, theft, or corruption of that data would have on the business. It must be possible to quantify risk in order for decisions to be made as part of the contractor security risk management process.
Once you have identified the risks, and assigned each risk a value, you can then put those inputs into your contractor security risk management calculations.
Reducing risk when collaborating with contractors and suppliers
You may require contractors to have access to a system as this will save time and money. A good example is a project with multiple subcontractors; a construction project for example. If each subcontractor can enter their own data, this is often preferable, as it reduces the possibility of errors being introduced. Some software is designed with collaboration in mind; Lotus Notes or Oracle Primavera for example – the latter being specifically developed for use with large construction projects. However, before access to any system is allowed, risks must be managed. That can be achieved by:
Explain the security risks and how they can be reduced or mitigated. Issue best practice guidelines, such as physically securing devices, password management policies, phishing and hacking risk management, connection of USB drives, and Smartphone use etc.
Scanning all devices connecting to a network
It is no longer necessary to give contractors and suppliers access to shared network drives or your LAN in many cases. They could use desktop or mobile apps, and could connect to cloud services used by your company. If LAN access is required, then they must install the necessary security software that you use. Anti-virus, anti-malware, Anti-spam, and web filtering solutions will be required. Their devices must also be regularly scanned for infections.
Blocking social media access
Social media website use introduces risk. Corporate computers, which are connected to the LAN, should not be used to access social media websites. Personal devices can be used for that instead. Internet use on LAN-connected devices must be limited to reduce the risk of drive-by attacks and accidental downloading of malware. A web filter should be employed to manage the websites that can be visited.
Conducting security audits
You will no doubt already be conducting audit on billing, and also the quality of the services provided, but also make sure you conduct security audits. You need to make sure that your contractors are not exposing you to unnecessary risk and are following the best practice guidelines that you have issued.