Outsourcing from a CyberSecurity Perspective - The Unassessed Threat.

Threat vectors. When we list them, where on the list do third-party trust relationships fall? Do we even consider the idea that contract employees, temp employees, and vendors fall into this category? I say that outsourcing is truly an unseen and unassessed threat vector.

In these days of hyper-awareness for CyberSecurity, it is surprising to read this article from the Wall Street Journal regarding the number of employee positions which have now been handed over to contractors, vendors, or temp agencies to fill. This article attributes the change to cost-saving measures, but from experience I know that contractors are almost always more expensive than regular employees, but the needs often outweigh the drawbacks when time is short and there's a critical gap. As a side note, I took a quick spin through Indeed.com's job search and checked the ratio of "Full-time" to "Contract" + "Temp" positions in various fields. It's only one data point out of many, but full-time job openings outweigh contract offerings some 20:1, which lends a certain flavor of FUD to the article in question.

What is not in question, and not taken into account, is the increased risk that accompanies this habitual outsourcing habit. Companies face larger risks by exposing their systems, environment, and data to outsiders that they are trusting a third-party to investigate and clear. Third party trust is a well-known criminal vector, and it is often considerably simpler to get on board with a staffing company than it is to get hired at a company. This whitepaper from Security Scorecard references quite a few similar points and specific breaches and is a fast read for more info.

Interestingly, for some companies, this is actually an acknowledged method of risk transferral, making the third party responsible for the potential for loss and damages. I have to cry foul and point out though that it isn't the third party who suffers media backlash when it's made public that a company suffered a breach that exposed PII for thousands of people. Here's a question - What was the name of the HVAC company that was the first step in the 2013 PoS breach of Target? I bet you don't know, but you surely know about the Target breach. The HVAC company was Fazio Mechanical.

Supply chain attacks and third-party breaches are so ubiquitous that https://www.cybergrx.com/resources/blog/top-11-third-party-breaches-of-2018-so-far-data-breach-report/ reports an average cost increase of $1.23 million -per incident- in damages to enterprises.

For me the conclusion is obvious - there's a vision gap between appropriate staffing management and risk management. The behaviour we see now is short sighted and needs to be re-examined. Exposing an enterprise to the sort of potential risk vectors inherent in third-party staffing solutions hardly seems to outweigh the costs related to providing the same services internally. Either way, it is a decision that should be thoroughly vetted through the CyberSecurity and Risk Management portion of the enterprise team. Don't have one? No surprise - you can outsource that too.