Many, if not most, organizations rely on outside contractors. But most may not know the threat they can pose to your network and data. According to new research from ISN, only 23% of contractors reported they require cybersecurity awareness training and only 25% have defined criteria to report a cyber incident to the organization that hired them. This resulted in more than half (58%) of organizations believing that it was this third-party contractor who was responsible for a breach of their system.
Why are contractors lacking in cybersecurity training? It appears to be that many industries that specialize in contracted services may be using the latest technologies, but they don’t associate the need for cybersecurity awareness for their job duties.
“Many companies have a rigorous process for software or IT vendors; however, we’ve seen a large gap in the ability to categorize traditional contractors based on their access to controls and systems,” said Ghousuddin Syed, a senior director at ISN, in an email interview. “For example, an attack of Target’s computer system in 2014 was initiated through an HVAC contractor and a 2017 hack into the U.S. electric grid originated with a construction contractor.”
While some industries have adopted security-related regulations and certifications, there is mostly a varying level of maturity of security awareness across the board.
Should You Vet Your Contractor for Cybersecurity?
If cybersecurity is important to your business operations—and it should be—you should take care to hire like-minded contractors. Don’t hesitate to add cybersecurity awareness to your overall vetting process.
“At a minimum, companies should be looking for basic cybersecurity awareness training that includes areas like password complexity and understanding how baseline cyber attacks occur,” said Syed. “While cyberattacks can often be traced to more than one vulnerability, some of the most common attacks initiated by cyber-unaware contractors are social engineering, phishing, malware attacks and impersonation.”
If you use a contractor management platform for hiring, you can easily communicate and require that applicants have cybersecurity awareness training and a certain proficiency level. If you will be working with any specific individuals through third-party contractors, it may be worthwhile to discuss cybersecurity with them separately from the contracting company. While the contractor may have certain standards, that doesn’t mean that has trickled down to individual workers (or maybe that person will know even more than the contractor requires).
Should you find the ideal contractor for all other aspects of the job but one that lacks in cybersecurity awareness, you have a tough decision to make. Syed suggested hiring organizations make it clear exactly where it stands on cybersecurity and settle for nothing less. If the contractor is definitely the one you want, it might be worth it to require some training before the job begins as part of the contract.
Decreasing the Third-Party Risk
Third parties have always added an element of risk to organizations, but the emergence of cybersecurity risk can make companies without a strong cyber plan in place particularly vulnerable to cyber-unaware contractors. “A possible breach and subsequent shutdown of a company’s network can lead to lost work hours and financial losses,” Syed said. “For many companies, exposure of sensitive customer or personnel data is of the highest concern. Improper management of data can result in legal ramifications and reputational damage.”
So it is up to organizational leaders and regular employees to reinforce best cybersecurity practices with third-party contractors.
“When it comes to hiring practices, employees can mitigate cybersecurity risk by restricting access to third-party contractor companies that are not in compliance with the worksite’s cyber requirements,” he advised. “After hiring, worksite managers and directors should enforce cyber security through ongoing training, like holding toolbox talks on cyber-related topics, performing annual refresher training and acknowledging that questionnaires and policies remain current. On a day-to-day basis, contractors should be assigned onsite escorts to act as a second set of eyes watching out for cyberattack warning signs.”
Good cybersecurity practices come down to good cybersecurity awareness education. Before hiring a contractor, Syed recommended the contractor should:
- Make sure the contractor is able to meet industry compliance guidelines.
- Provide a cybersecurity questionnaire about the company’s internal procedures and cybersecurity posture.
- Provide copies of applicable industry regulations or certifications.
- Provide proof of cyber liability insurance coverage.
Helping to educate third-party contractors and setting clear expectations around cyber significantly helps mitigate the risk of a cybersecurity attack on job sites.