Most people are good. Most people don’t abuse access to a workplace. However, bad behavior regarding access management is more common than you think.
Employee processes are standardized and controlled by HR. However, contingent worker processes may be owned by Procurement, or not owned and have separate offboarding protocols. This means that the same protections you have for employees may not apply to contract workers.
Some risks are due to lack of operational controls while others are due to lack of visibility. These risks apply to all workers but are more heightened because of the revolving door nature of your temporary talent pool. While many companies don’t have a centralized team to manage offboarding, others aren’t aware that any action should have taken place.
For example, it’s common for outsourced work or managed services to be supervised by a supplier account manager rather than an employee manager. Since the managers don't directly manage teams, they may not even be aware if a worker was reassigned or replaced. With no visibility, the manager has no idea that they were supposed to offboard a worker.
These risks vary from company to company, but the most common identity and access management risks for contingent workers are:
- Theft of intellectual property
- Loss of confidential information (client list, preferred vendors, pricing, product strategy,
- Loss of physical property (stolen laptops, mobiles, office equipment)
- Loss of trust around data and privacy
- Failed audits and control tests
Network Security Risks
While network access is tightly regulated for most employees, external worker data often resides outside the traditional process. This most often happens when system access isn’t controlled by an active directory LDAP account that defines all access. It’s especially common when you provide tools to a worker that reside outside SSO domains or allow the creation of a personalized login not tied to a corporate email address.
When offboarding activities or processes are unclear or unmanaged, some clear negative impacts can and have occurred. For instance, a peer told me about a temporary worker who was able to download and steal client data after their exit date so the company had to report a GDPR breach. Another friend discussed a worker who took prototype illustrations of a new product and go-to-market strategies to their competitor.
The common thread here is having different systems and processes for different parts of the workforce.
Risks of Continued Facilities Access
Access to facilities is another major risk that organizations can face when it comes to their extended workforce. In one example, a company allowed its suppliers to grant access to individuals on their behalf. An outsourced worker granted building access to three friends and hosted an after-hours gambling ring in the company office for months. A local police sting operation brought it to light, but the company had been completely unaware.
Another time a contingent worker’s badge had been properly deactivated, but he still had it in his possession, so employees politely kept the door open for him because they saw that he had a badge. He was able to walk through conference rooms and take pictures of whiteboard drawings for the next few days.
Extended access can be a safety concern or more likely could potentially result in loss of physical property or confidential information. You see this most often when security or badging teams require separate tickets or general emails to offboard a worker, and there isn’t a team or process to track these activities that are required and completed.
Public Relations and Audit Risks
Publicly-held companies are held to several different auditing standards; SOX, SOC, ISO, GDPR, etc. Most are simply about controls --ensuring that things you expect to happen, happen. There is a specific focus on how IT grants and revokes access; to who, when and whether it was done timely. However, those same protocols for employees don’t always end up applying to an organization’s extended workforce population. And obviously, failing an audit can result in heavy fines, loss of the public's trust and bad publicity.
Centralize to Drive Compliance
Centralizing the offboarding process will enable clear ownership of the process, help to ensure the guidelines are clear and repeatable and ensure that someone is curating how offboarding occurs and is fully completed.
True ownership, while still collaborating with the parties responsible for activities, enables the creation of guidelines, technology-enhanced and tracked requirements, and visibility into meeting service level agreements with the business and policies.