Today (June 28, 0222), the FBI issued a warning stating that scammers may be trying to score jobs at companies to access customer or financial data, corporate IT databases, and/or proprietary information. It goes on to state that there has been an increase in complaints reporting the use of deepfakes and stolen Personally Identifiable Information data (PII) to apply for various remote work and work-at-home positions.
This is a solvable problem, beginning with strong identity verification during the hiring process. Unfortunately, while identity verification is a standard process, current practices have failed to keep up with fraudsters.
Contractor Fraud and the Rise of Remote Work
Many organizations require the use of contractors, known as third parties. Managing these non-employees through the HR system, the authoritative identity source for their IT ecosystem, can be burdensome. In addition, third-party individuals often require access to organizational resources such as shared tools, applications, or data sets to provide critical services.
The issue is that this access is usually for a limited period. Third parties present challenges and bring additional risks, such as ensuring that access rights and permissions are managed correctly and, when required, deprovisioned quickly. With the rise of remote work during the COVID-19 pandemic, these concerns have only been exacerbated
Many companies assume that virtually checking a photo of a new contractor’s driver’s license and passport ensures that they are always the person logging in and working from home every day. Unfortunately, this isn’t necessarily the case. The increase in remote work in the last year has made it easier for fraudsters to attack your organization.
How Does Contractor Fraud Happen?
Let’s look at how identity fraud happens in an organization: When new contractors get hired, they receive access to numerous company resources like email and Slack. To gain access to these resources, they will likely use an active directory username and password and a 2FA tool.
What happens if this contractor outsources their work? The employee will provide a third-party outsourcer with usernames, passwords, and 2FA codes. It’s been done before, and with today’s collaboration technologies like Whatsapp and Slack, it can be done in seconds. This could be detrimental to an organization if this person found someone cheaper to do their work or got paid by a third party to let them into the organization to steal intellectual property.
Your company likely did a thorough background check of your employees and contractors. However, you did not do a background check on the subcontractor. This means that this individual could have a questionable background that is not suitable to work at your company. Your company resources and knowledge are vulnerable to the subcontractor.
How Does 1Kosmos Improve Third-Party Access Governance?
The reality is that nearly all organizations have a variety of these third-party individuals who need access to infrastructure, applications, and data. 1Kosmos improves the security of third-party access with our distributed digital identity platform that is FIDO2, NIST, and PAD2 certified.
The benefit of onboarding contractors with 1Kosmos BlockID is ensuring the highest degree of identity assurance in a virtual environment, eliminating fraudulent activities. Contractors who are bound to their proofed identity with 1Kosmos, they have identity-based biometric authentication and a passwordless experience. In practice, contractors can utilize their secure mobile device for physical or logical authentication and step-up authentication required for privileged access. As a result, each access event is associated with a real, verified identity. Overall, organizations will eliminate the risk of contractor fraud and extra security exposures contractors introduce.
Are you interested in learning more? I invite you to check out a webinar where we covered this very issue “Identity-Based Authentication and The Journey to Passwordless” where Edward Amoroso and Mike Engle discussed third-party access management and contractor fraud prevention.
Additionally, this whitepaper covers our integration with Saviynt Third Party Access Governance. The combination of technologies ensures that when a contractor authenticates into the organization, you will have a high assurance that it is the contractor you hired, not someone else working on their behalf or a hacker!