Contractor Compliance - Protecting your data when hiring third parties

For the vast majority of hiring organizations, bringing in external contractors and freelance workers is a trouble-free experience; you’ve identified the skills gap or services you require for a project, hired the right people for the job, and hit all of your targets and deadlines. But whilst a lot of thought may be put into your contractor relationships before and during their time with you, how much consideration have you given to what happens when they leave?

Regardless of the amount of time they are employed for, it’s likely that your contractors will be privy to sensitive information about your business, the premises in which they’re working, and any new contacts. They’ll be granted security access around your site, provided with client, staff and company details, and computer systems, files and documents will be made available to them. These may be necessary in order for them to undertake the work they’ve been commissioned for, but are you protected against the potential for deliberate data theft or inadvertent errors that can occur when third parties are continually enrolling and moving on?

Knowing the risks

Data breaches are a potential for untold damage to any organization. It is likely that you hold sensitive personal or financial information about staff, customers, clients and your business and its transactions, which would provoke serious repercussions should it fall into the wrong hands. By default, having external contractors join your business inevitably widens these risks.

Whether by human error, or malicious hacking and theft, the inability to keep your data private could lead to:

• Financial penalties and consequences from authorities

• Loss of reputation for your brand and key members of staff

• Difficulty retaining existing customers, business connections and clients

• Reluctance from potential new leads and lack of growth

• Company information and processes exposed to competitors

• Personal and financial details used for criminal gain

Understand your assets

Understanding the value and importance of the records and information that your organization holds is the first step towards protecting it. Your commercially sensitive client, staff and company data can be desirable to those looking to commit fraud, or malicious acts that target your business. Unscrupulous competitors may wish to gain insight, criminals may look to use financial details, or you may be subject to a personal vendetta. Once you see the value in the data held within your desktop, email inbox, filing cabinets and security systems, you’ll be able to better comprehend why others may want to gain unauthorised access to it, and learn how best to guard your assets.

Keeping your organization safe

When contractors and temporary staff are coming and going throughout your business, you need to be sure that they’re only taking a good reference with them when you part company. In this white paper, Contractor Compliance will examine the steps that you can take to minimise the threat of breaches, internal attack and data loss that can occur by accident or design.

✔ Research contractor candidates

Prevention is better than cure, and you’ll ideally be hiring trustworthy candidates and dependable contractor companies that have nothing but the best intentions towards your business. This comes from sourcing new employees carefully; make sure that you’re carrying out the correct amount of research and a thorough interview and briefing process, and follow up with references, testimonials and vetting wherever possible. Whilst it’s impossible to pinpoint dishonesty in applicants, (and nor should you be trying to), obtaining workers from reputable outlets, using personal recommendations and making the right enquiries will maximise the chances of finding competent and responsible contractors.

✔ Put it in writing

The earliest way to avoid breaches and violations is to produce relevant guidelines and processes before a negative event ever occurs. Explaining the onboarding and offboarding system to contractors when they join ensures that everyone knows where they stand, and gives you the opportunity to implement any confidentiality agreements. Putting contractual obligations in place is the best way to guarantee your protection, although making contractors aware that your business is security conscious may act as deterrent enough.

✔ Correctly control access

Whether they’re joining you in an office environment or you’re bringing in teams of people and equipment to work on-site, your contractors will need to understand the layout and security processes of your building or grounds. For day to day access, it’s likely that you will issue them with identity passes, keys or electronic swipe cards or security codes. Third parties will also come to understand the physicality and routines of your space, such as the placement of exits, flow of staff and visitors, access routes and how the site is physically or digitally protected. To minimise these risks, regularly changing codes is good practice at any time, and certainly essential when any member of staff leaves the business, and passes and keys must be surrendered when contractors move on.

✔ Manage digital systems

For many organizations, the core of their sensitive information lies within their computer system, holding company records, details of transactions, CRM databases, email accounts, strategy documents and so forth. Restricting access is the most logical way to prevent newcomers from delving into your archives, so put a hierarchy or password system in place. If possible, record and monitor access to software systems and online data, and keep track of files which have been copied, printed or emailed. Don’t forget to immediately revoke in-house and remote access to your computers and email systems when somebody leaves the business.

✔ Retrieve hardware

Depending on the role your contractor has been hired for, you may have provided them with company equipment such as a laptop or mobile phone. All devices issued should be set to require password entry, preventing unauthorised access should they be lost of stolen. Data should be encrypted, and you may wish to monitor phone records to ensure these items are being used correctly. When a contractor leaves your employment, these appliances must be retrieved, and wiped of data and logins before they are reassigned.

✔ Have an offboarding strategy

While you may place emphasis on training and onboarding new contractors upon arrival, going through an appropriate offboarding procedure can be overlooked. If a project has been completed satisfactorily, it can be all too easy to simply shake hands and move on to the next item on the agenda. Remember that freelance workers are likely to be engaged by another company shortly, or immediately after they have completed their role with your organization, and that the time must be taken to debrief, remove permissions and presence from the system and to conclude the association fully.

Conclusion

When you welcome external contractors into your organization, it’s unlikely that they have ulterior motives; but with more and more of your workforce comprising of transactional employees, now is the time to make your data and processes secure against opportunities of accidental or deliberate loss. The subsequent penalties and consequences of breaches can be severe, leading to a decline in trade, monetary fines and poor brand reputation.

Organizations can minimise the likelihood of internal attack when hiring contractors. Here are the steps recommended by Contractor Compliance:

1Before engaging a contractor:

• Carefully research potential candidates and companies

• Interview applicants and uptake references

• Complete background checks if appropriate

• Produce a full brief and project plan

• Create security guidelines or contractual obligations

3

2During a contractors’ employment:

• Onboard and induct temporary staff

• Assess what really needs to be seen and shared

• Limit access only to essential files and tools

• Keep areas of the premises private if needed

• Monitor employee actions and behaviours

• Regularly change building codes and system passwords

When your contractors move on:

• Offboard contractors fully with a clear strategy

• Revoke physical access, and reclaim keys, cards and passes

• Remove security clearance and rights

• Change all digital codes and passwords, or door locks if necessary

• Inform security personnel

• Switch off remote access to computer systems

• Recover company devices such as smartphones and laptops