Most organisations utilise contractors in one form or another. From an independent specialist working on a particular project, through to the use of a third party company providing a team to fulfil a function, contractors are part of everyday working life.
These contractors typically have the same access to an organisation’s assets, including those deemed most sensitive, as directly-employed employees and yet on some occasions in some organisations, contractors are not always required to abide by the same personnel security requirements. While this may be a business-driven decision, potentially this could leave an organisation open to risk.
CPNI recommends that organisations use the same personnel security measures with contractors as they would with their directly employed staff. But, it is recognised that at certain times, business pressures may force organisations to use reduced or alternative measures. On these occasions, it is up to the organisation to make a risk assessment as to why they need to downgrade their personnel security standards and what alternative measures can be used instead.
Regardless of what decision is made, it is the employing organisation which owns and needs to manage effectively the risk of granting the contractor access to its sites and assets, not the contractor organisation or agency. The employing organisation also has a responsibility to ensure good security practices are in place and are followed by all staff.
Where contractors are usually given access to the same organisational assets as employees in similar roles, they can have the same impact if they use their access for unauthorised purposes. Potential challenges can include:
- a contractor’s primary loyalty may not necessarily be to the employing organisation and their commitment to security may be diminished;
- a contractor feeling that they are not fully part of the team within which they are working;
- a contractor may work in competitor organisations consecutively or simultaneously;
- contracts can be renewed or extended to the point where a contractor can work in an organisation for many years, often with little or no re-screening;
- a contractor may move between departments with the new department not being aware of security constraints that apply to the contractor;
- a contractor may be poorly supported by the organisation that contracted them, who may not see the same responsibility to provide assistance, welfare support or monitoring to non-permanent staff.