Most organisations utilise contractors in one form or another. From an independent specialist working on a particular project, through to the use of a third party company providing a team to fulfil a function, contractors are part of everyday working life.
These contractors typically have the same access to an organisation’s assets, including those deemed most sensitive, as directly-employed employees and yet on some occasions in some organisations, contractors are not always required to abide by the same personnel security requirements.
While this may be a business-driven decision, potentially this could leave an organisation open to risk.
CPNI recommends that organisations use the same personnel security measures with contractors as they would with their directly employed staff. But, it is recognised that at certain times, business pressures may force organisations to use reduced or alternative measures.
On these occasions, it is up to the organisation to make a risk assessment as to why they need to downgrade their personnel security standards and what alternative measures can be used instead.
Regardless of what decision is made, it is the employing organisation which owns and needs to manage effectively the risk of granting the contractor access to its sites and assets, not the contractor organisation or agency. The employing organisation also has a responsibility to ensure good security practices are in place and are followed by all staff.
Where contractors are usually given access to the same organisational assets as employees in similar roles, they can have the same impact if they use their access for unauthorised purposes. Potential challenges can include:
- a contractor’s primary loyalty may not necessarily be to the employing organisation and their commitment to security may be diminished;
- a contractor feeling that they are not fully part of the team within which they are working;
- a contractor may work in competitor organisations consecutively or simultaneously;
- contracts can be renewed or extended to the point where a contractor can work in an organisation for many years, often with little or no re-screening;
- a contractor may move between departments with the new department not being aware of security constraints that apply to the contractor;
- a contractor may be poorly supported by the organisation that contracted them, who may not see the same responsibility to provide assistance, welfare support or monitoring to non-permanent staff.
Personnel Security and Contractors
A Good Practice Guide for Employers provides information about good practice in the secure use of contractors for any organisation. It provides a useful supplement to existing procedures, and for those who are considering introducing new or enhanced personnel security measures.
The guidance is not intended to replace an organisation’s existing policies, but rather to confirm and supplement them. It has been designed to sit alongside other CPNI personnel security products and is aimed at contract managers, human resources managers, line managers and anyone else who may be responsible for the recruitment or management of contractors.
The business world is becoming more connected and interconnected. Our companies and homes increasingly rely on items and services that are supplied or run by others and companies increasingly hire contractors and consultants to provide specialist skills. All of these external services comprise IT, people and physical assets and all are vulnerable to failure or malicious behaviour.
Historically, suppliers mostly provided hardware, goods or in-house skills. However that landscape has changed. Increasingly, we see suppliers (and often their suppliers and their suppliers) securing wide and long-term access to their clients’ information, assets and people. Often that access is unmonitored and has escalated beyond its original boundary. Some examples of these large scale accesses are:
- Cloud providers, who may hold huge amounts of their clients’ data (e.g. credit information, personal data, staff records, intellectual property) in other organisations or even in other countries;
- IT contractors who deploy their staff into multiple client organisations, who may hold sensitive accesses at two competing companies simultaneously;
- Network service suppliers who provide data storage or Security Operations Centre functions at remote locations (often overseas);
- Overseas call centres;
- Vendors who supply and maintain safety or physical security (e.g. barriers or alarms) to sensitive sites;
- Third party recruitment consultancies, who hire staff on behalf of clients.
Each of these situations can put the end user’s security, resilience, compliance or stability at risk. Suppliers can cause these sorts of incidents by not managing their own security, acting irresponsibly, employing rogue staff who exploit their positions, or any number of other ways.
CPNI and the National Cyber Security Centre (NCSC) jointly propose a series of 12 principles, designed to help you establish effective control and oversight of your supply chain. The Supply Chain Security Guidance covers cyber, physical and people security and a Principles of Supply Chain Security Infographic is also available.