Cybersecurity professionals are facing a new reality in the war against hackers. Bad actors don’t hack into systems anymore. They log in. And more and more frequently, they do so via credentials created by third parties that have (and need) access to those systems, such as independent contractors and supply chain partners.
Some of the most devastating breaches in recent times have resulted from hacks directed at third parties. Toyota, for example, was forced to completely shut down operations involving 13,000 vehicles as a result of a virus that initially infected a plastic supplier. A data breach that came from an infected vendor of file transferring software cost Morgan Stanley $15 million.
According to one study, the average company has relationships with 11 third parties, and virtually every company in that same study was doing business with at least one third party that had been breached. When fourth parties – contractors to these third parties – are taken into account the situation becomes worse, and the chain of risk can be even longer as the fourth parties themselves may have contractors.
In addition to the risks associated with giving remote contractors and third-party businesses access to internal systems, a new problem has arisen now that remote work has become the
norm in many industries: contractor jacking. In one scenario, dubbed proxy interviewing, a skilled developer interviews for a contracting position, gets the position, obtains the required credentials, and then transfers the actual work, along with those credentials, to someone else. Sometimes contractors apply for a second job from a company that’s using their services under a false identity, pretending to work on each job full-time.
Digital Identity Onboarding
There are a number of best practices that companies can use to reduce their risk while minimizing the HR workload involved in onboarding contractors. In order to maintain the principle of least privilege, it’s important not only to verify the authenticity of who is being hired, but also to ensure timely termination of access.
Companies should automate processes whenever possible, not only to improve efficiency when large numbers of identities are involved, but also to minimize the temptation to rubber-stamp approvals, over-provisioning users or otherwise cutting corners. The mechanisms for both individuals and third-party companies should be user-friendly to ensure smooth day-to-day operations and reduce help desk problems to a minimum.
When it comes to individual contractors, one of the most effective approaches to meeting these criteria is through self-sovereign identity. In this approach, the process of establishing credentials is handled by the contractors themselves using a mobile phone. When implemented correctly the PII data is encrypted and stored with a public and private key to establish a trusted identity.
To begin the process, the user enters basic information – name, address, etc. – and is then prompted to scan a government ID such as a driver's license or a passport. The authenticity of the document is confirmed in real time to ensure it’s legitimate. The user then takes a video selfie which is matched to the photo ID to confirm that they are really the person the document represents. The generated credential provides a very high level of assurance. The new credential can then be bound to the user’s account. The user can now unlock their credential with any biometric desired and then use the credential to access company resources as permitted.
Self-sovereign identity can be beneficial on a number of fronts. HR departments are spared an enormous amount of work. They avoid the need to safeguard any contractor PII. The risks of proxy interviewing and contractor jacking are eliminated because there’s no way individuals can share their credentials.
Best Practices for Minimizing Third Party Risk
Third-party and contractor relationships are the new normal, and both pose unique security challenges. Contractors are particularly problematic because they so often work remotely. Here are the essential best practices for maintaining security related to contractors and avoiding the very high cost of a breach.
-
When establishing or renewing a third-party relationship, investigate the company’s security posture and practices to make sure they meet the same security standards as your organization
-
Verify and proof the identity of every person hired and/or authorized access to sensitive data to be sure they are who they say they are
-
Automate security processes to ensure rigorous adherence to standards and improve operational efficiency
-
Provide contractors with an approved MFA authenticator to eliminate the need to constantly provide hardware.
-
Practice solid governance to meet compliance, while understanding the compliance alone may not be adequate to ensure the safety of your assets.
Third parties, whether individual contractors or companies, are significant contributors to the success of most businesses today, and their importance will likely grow. By carefully monitoring security practices related to these outsiders, companies can enjoy the benefits they provide with minimal risk.