CIOs need to worry about the rise in temporary workers and consultants brought about by the recession

(03/11/2009)

In June this year, the CBI predicted that we’re going to be stuck in recession for at least another twelve months. The dangers of the current financial situation on employee morale are clear – no one likes feeling as though their jobs are under threat, or that their company can’t afford promotions or pay rises.

But what are the risks of disgruntled employees for security, specifically information security? According to the Association of Certified Fraud Examiners in the US, insider fraud on average equals seven per cent of revenues. Earlier this year, a Deloitte survey revealed that two-thirds of executives expect insider crime to rise in the next two years. If both organisations are right, discontented employees could be making a serious dent on already stretched finances.

Insider crime isn’t just limited to permanent employees however. When locating the Bermuda Triangle seems like an easier prospect than financial ‘planning’, companies turn to temporary workers, who they can hire quickly and who don’t affect long-term resource planning. While the rest of the job market is crashing, 60 per cent of firms reported a stable or increased demand for temporary workers in May 2009.

The risks to corporate security are significant here. Temporary workers aren’t always receptionists and data entry clerks and more senior business consultants are now being heavily used. They often work remotely, and need to access company information in order to do their jobs. This information might include employees’ personal details or salaries, and corporate financial information that could have a huge impact on share price. The CIO is caught in a ‘corporate trust trap’ – does trusting the consultant to access what they need to do their job effectively mean security has to be compromised?

We’re not necessarily talking about the security of data storage here – it’s an ongoing battle to stay on the front foot, but large Internet organisations and encryption technologies do a good job of ensuring information is safe from illegal hackers. The bigger issue is that of authenticating the user – if confidential information has to be freely available wherever you are, how do you make sure that it isn’t just whoever that is accessing it?

Passwords are the traditional form of user authentication, but all passwords can be broken – ultimately a password is only secure as long as no one else knows what it is. IT security forensic experts can break up to 3 million passwords a day using specialist machines. No matter what combination of letters and numbers you use, the fact remains that no password is strong enough for the determined thief.

And that’s before you allow for lax employee attitudes to IT security. We all know one of those users who still rely on the ‘Post-It note on the laptop’ method of remembering what their password is.

As we reach the summer holiday period, the risk of relying on passwords become even more pronounced – a recent poll we carried out revealed that three-quarters of employees admit to sharing their corporate network password with at least two colleagues.

Imagine this as a family tree – where each employee has links to two more employees – passwords spread quickly. You soon begin to get an idea of the security problems the IT team has to deal with on a daily basis when sensitive information like this is being freely given.

So what can the CIO do to avoid getting stuck in this corporate trust trap? The easiest way is to insist consultants work from the office – but companies would be limiting their choice of employees to those who are close by, rather than those who are best for the job.

Gritting your teeth and hoping for the best isn’t an option, and neither is a ‘big brother’ approach to what information can be accessed. It’s a waste of time and a frustration to those trying to do their job.

New and even existing hardware can be used to provide an extra layer of security through ‘two-factor’ authentication – providing additional passcodes as users need them. These passcodes change every time a user needs one, making it almost impossible to hack them.

According to security experts, there are three ‘factors’ to choose from when authenticating a user - human factors (‘something you are’, for example biometrics), personal factors (‘something you know’, for example your mother’s maiden name), and technical factors (‘something you have’, for example a passcard or token). Alternatively, existing hardware such as mobile phones can be used to supply this technical factor – displaying a passcode via SMS. This is a greener method of authenticating which is much more efficient and reliable for businesses – after all – who leaves the house these days without a mobile phone?

Requiring at least two of these factors is much more reliable than relying on a password alone, and would help IT teams to keep track of temporary workers, from wherever they are working.

Temporary workers can help with cash flow and are essential to the smooth running of a business when there is a freeze on recruiting permanent staff. However, the IT team needs to know who is logging on and when, to ensure security stays tight. Keeping track of temporary consultants means IT has to be 100% sure the person logging on is who they claim to be. Ultimately, if you’re going to let your employees travel, you’ve got to give them passports.

Related topics:  Computer and PC Security   Security management and policies 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources