Combatting non-employee access risk starts before a new staff member even arrives at an organization. The standardization of non-employee hiring and onboarding can reduce the risk associated with access misuse, insider threats, accidental data exposure, and more. Here are a few Do’s and Don’ts when it comes to onboarding non-employees:
Using a standard process of onboarding for non-employees helps reduce the risk of third-party access risks. The concept of a digital ‘frontdoor’ that every user must come through, means that all personnel follow the same procedure. The process may include steps like verifying user identification, creating a standard user account, and documenting key metadata. This is the starting point for building a trustworthy data trail on each user. Eventually, this acts as a centralized repository that can allow administrators, auditors and access management engineers locate all non-employees in a single source of truth. Centralized repositories can also help to speed up onboarding, an important feature when using contractors who are often temporary and need to get to work quickly on a project.
When a contractor is coming in for a quick project, it can be tempting to skip a few steps in the onboarding process to get the work done quickly. Don’t. Being able to consistently and accurately identify individuals is a vital component of a robust identity system and the core of managing third party access risk. Otherwise, a lack of standardization during the verification process can lead to unauthorized access and control measures being unenforceable.
The exposure of sensitive data is not always intentional or malicious. Failing to onboard non-employees properly can lead to accidental, yet costly data exposures as well. The 2020 Cost of Insider Threats report from the Ponemon Institute found that the average cost of an accidental insider breach by negligent employees or contractors was $307,000 per incident. However, if that incident involved the use of privileged credentials, that cost went up to $871,000 per incident. Standardizing onboarding may require an investment, however it tends to be an investment well worth it in comparison to the potential consequences of negligence.
Non-employee access management can be a challenge. Contractors and freelancers can potentially be lost in the system, or worse, unvetted altogether, but centralization can help.