Businesses blind to the security risks of temporary staff
Access without accountability
More than 80 per cent of temporary staff have the same level of access to company documents as permanent staff but without the same accountability, according to research released today by security firm Websense.
The survey of more than 100 temporary staff found that 88 per cent of respondents were able to access documents from the company network drive, 62 per cent had used someone else's login details to access a work PC, 52 per cent had used a co-worker's email account, and 81 per cent had unlimited access to the internet from their work PC.
A worrying level of apathy among businesses toward basic data security processes is leaving them wide open to the risk of accidental or deliberate data breaches, according to Websense. Only 21 per cent of temporary workers had signed any type of PC or web use policy.
Among the other findings, 91 per cent were able to print any work document they liked, and 37 per cent were given access to passwords for company systems like invoicing, procurement, and payroll. Forty-two per cent were able to connect a personal device like an iPod, USB key, or PDA to their work PC.
Websense says businesses are also failing to manage the use of social networking sites, which it described as "a haven for cyber criminals". The survey found that 67 per cent of temporary workers used social networking sites like Facebook during working hours and 21 per cent accessed peer-to-peer file-sharing sites.
Copyright © 2007, OUT-LAW.com
OUT-LAW.COM is part of international law firm Pinsent Masons.
Identity Management solutions are too expensive for SMBs
On top of that, it is a non-trivial task to define the business rules, roles and policies, let alone all the connectivity and development work necessary to make it work.
Identity Management/Provisioning/De-Provisioning systems are extremely complex and difficult.
All of the IDM projects that I've been involved in over the last 3-years, most of them were large banks that were seeking SOX compliance. They are multi-year engagements costing upwards of $20m.
Unless the Auditors, legal department, compliance department, or government regulation demands it; small/medium companies aren't about to fork out for the necessary investment to get this implemented.
Off the shelf products from Oracle, IBM, CA, Sun etc aren't cheap (nor is the consultancy involved in implementing them).
Doing the same in-house without custom tools is also very difficult and costly. It is made more difficult by the fact that most small companies follow a very ad-hoc approach to user access. It worked fine when there were only 6 of them working from a garage - everyone knew each other and needed the same level of access. Once they developed into a 20+ team, it became more difficult to maintain access for all new employees; or the correct levels of access to all the bespoke (non-integrated) applications that were being purchased. Before you realise it, you are a company of 300+ with over 50 redundant accounts belonging to ex-employees that still have full access to the corporate database (and every other application the company has) ...
The more systems, roles and employees/users, the more complex the problems become - and the more complex the solution becomes; but procrastinating won't make it go away.
Frankly I doubt that
After twelve years as a developer and consultant, I must say that I have rarely, if ever, experienced such latitude in my access to client IT infrastructure.
Any bank is going to insist that you use their own hardware to access their resources, and you are generally quite clearly warned that your activity will be logged - which is quite a deterrent if you want to seek for information you're not supposed to have access to.
Most other companies are going to give you a PC as well, and if they do allow you to log on to their network with your laptop, you never have access to in-house network discs.
Besides, has anyone forgot about reputation ? As a consultant, my job is to leave a customer happy so that he calls me back. That won't happen if they find evidence that I've ripped their customer database, now will it ?
Temp staff are in general more risky because ...
1. Background checks are usually less than perm staff, or none at all.
2. Someone wishing to infiltrate an organisation by nefarious means will use the temp/agency staff route as the quickest easiest means of physical access.
3. Due to the difficulties of getting a new ID set up for the new temp person often arriving at short notice, they are more likely to get lent another users ID, which is more likely to have privileged access compared to a standard new users ID.
Why are temporary staff any more of a risk than permanent?
If these practices take place then chances are that permanent staff can access the same things and do the same things, in which case temp staff are no more a risk than perm staff.
Unless being temp makes you less honest for some reason?
Other Way Up?
Actually, this surprises me, as historically it's always been the opposite problem. I've lost count of the amount of hours I've had to sit twiddling my thumbs because in order to do the job, I need access to X computer system, or Y set of documents, when temps don't get access to it.