CIOs say temporary staff top insider risk
According to a survey commissioned by security company RSA and conducted online by IDC, 19.5 percent of CIOs and security executives polled perceived that contractors and temporary staff are the main cause of insider risk, compared with 12.7 percent attributing it to permanent employees.
IDC surveyed 400 respondents comprising 100 each from the United States, United Kingdom, France and Germany. CIOs and heads of IT accounted for 71 percent of respondents. The rest comprised predominantly company security officers (CSOs) and chief information security officers (CISOs), as well as vice presidents and heads of information security. The data was analyzed between February and March, and published in August.
Brian E. Burke and Christian A. Christiansen, the authors of the study, noted that although contractors are not employees, they still need access to corporate networks.
"This creates a burden for IT staff tasked with managing their access rights, monitoring their activities, and deprovisioning their accounts when their contracts expire, while still protecting sensitive information and complying with privacy regulations," said the IDC analysts in the report.
Despite this, Jason Pearce, director, sales engineering Asia-Pacific, RSA, said there is no excuse for excessive access and privileges to contractors to occur.
"The information or intellectual property that a company has is its most important asset, so it should be guarded very tightly. Having an effective and instituted security policy in place is the most effective tool a company can have to ensure that access issues can be reduced," Pearce told ZDNet Asia in an e-mail interview.
"If anything, more attention should be paid to ensure that temporary staff and contractors are complying with internal security policies."
One of the most common security concerns about contractors, according to Pearce, is that they are able to use their own hardware for projects in most instances.
"It is very difficult to ensure compliance when the contractors are not using company equipment that has been set up specifically to ensure adherence to security policies."
Controls on temporary staff should be tighter than those on permanent employees with regard to what data they are able to access and audits on their activities, Pearce said.
The report's authors found a high percentage of accidental issues from contractors and temporary staff, "which is not surprising".
"These workers have only a casual understanding of a firm's security policies. They are focused on hitting deadlines, not complying with internal security policies. They strongly believe that compliance is someone else's problem," they wrote.