Do You Know Who’s in Your Systems? The Costs and Risks of Non-Employees
The digitalization of the workforce and rise of the gig economy have significantly altered the structure of many organizations, which in turn has posed new challenges for HR teams. In addition to traditional full-time employees (FTEs), many HR teams and their colleagues in IT and cybersecurity must now manage increasing numbers of contractors, vendors, partners, affiliates, and freelancers, often collectively known as “non-employees.”
There are more than 157 million people in the US workforce at any given time, 10 percent of whom are non-employees. That represents a lot of people who may not be actual employees requiring access to company resources to do work. While the benefits driving organizations to utilize non-employees are many, this group of outsiders does produce a new set of business challenges, including hidden expenses and unmeasured risks.
For many businesses, the root of the problem lies in not having the necessary resources and systems in place to effectively collect and process non-employee information for important purposes like onboarding and regulatory compliance. Unlike FTE data, non-employee data must be collected in a collaborative fashion, often from different sources inside and outside of the organization.
The Oversight and Security Challenges of Non-Employees
A Ponemon Institute study found that 59 percent of companies have experienced data breaches caused by third parties, including non-employees. Only 16 percent of organizations say they can effectively mitigate third-party risks.
Why is this? One of the reasons is that onboarding processes that are usually automated for FTEs typically aren’t applicable to non-employees. The human resources information system (HRIS) solutions used for FTEs are not designed for the non-linear processes and relationships that are characteristic of non-employees. In addition, attempting to use HRIS solutions for non-employees can have high hidden costs, such as the expense of keeping non-employees in this kind of costly HR system, the time invested in entering and maintaining those details, and the risk of misclassification. When organizations hire third-party workers, some sort of cost savings is typically part of the value proposition. What employers may fail to consider are the costs of managing non-employee information in an HRIS (upwards of $200+ per person), which can add up for thousands of workers.
As a result, organizations often use highly manual processes for onboarding non-employees. These manual processes are time-consuming; costly; difficult to audit; and most importantly, error-prone, thereby expanding the potential for risk associated with non-employee users.
Another area of risk is the overlapping ownership of third-party identity risk management. While HR is often centralized and focused on managing FTEs, the chief risk officer or chief information security officer is usually responsible for identifying, monitoring, and mitigating internal and external risks more broadly. In addition, IT is focused on managing technology assets and access to those assets. As a result, non-employees are often loosely managed via ad-hoc processes as mentioned above, sometimes involving a collection of spreadsheets, databases, and tools.
There is often no centralized view of the relationship between the organization and the non-employee user, nor is there any automation around managing key life-cycle processes like timely terminations. Organizations lack authoritative sources of non-employee data that can be used to make well-informed business decisions and mitigate the risk associated with utilizing these resources.
Minimizing Third-Party Risk
As organizations increasingly grant access to facilities, data, and systems to ever-expanding numbers of non-employees, it becomes imperative to prove these third parties are, in fact, who they claim to be. To help mitigate the risks non-employees can pose, businesses must improve the granularity, transparency, consistency, and agility of their third-party risk management efforts. Here are some steps they can take in that regard:
1. Automate Non-Employee Onboarding
Organizations often have highly-manual processes for onboarding non-employees. By automating these processes, organizations can save money and increase the time to value of these resources.
2. Know Your Insiders
According to the aforementioned Ponemon Institute study, most organizations don’t know the exact number of their third-party users, and only a third of organizations have a list of all third parties with whom they share sensitive information.
3. Audit Those With Access
Organizations should conduct regular comprehensive user audits to ensure that non-employees have access based on the least privilege, meaning the appropriate privileges for the appropriate resources at that specific point in time. It is also important to quickly remove access when it is no longer needed. Someone should be in charge of searching for and removing orphaned accounts.
4. Conduct Risk Ratings and Adjust Privileges Appropriately
While you may have carefully vetted a contracting firm, each employee of the firm comes with their own set of personal risks and should not automatically be granted access. Risk rating should be a continuous process as risk factors, individual characteristics, and access needs evolve.
In addition, identity-proofing capabilities — software solutions that help companies prove people are who they claim to be — can further verify and authenticate the individuals accessing company data. This functionality can be a key element of a company’s cybersecurity program because it can ensure that a hacker isn’t using pilfered credentials to steal company information or otherwise cause harm.
Without proper identity access and management procedures for non-employees in place, organizations are vulnerable to security breaches. With the proper identity-proofing practices and capabilities, businesses can easily and cost-effectively verify the identities of their users, support risk management initiatives, and better protect critical assets.
David Pignolet is CEO of SecZetta.