Contractor Fraud and the Rise of Remote Work
Many organizations require the use of contractors, known as third parties. Managing these non-employees through the HR system, the authoritative identity source for their IT ecosystem can be burdensome. In addition, third-party individuals often require access to organizational resources such as shared tools, applications, or data sets to provide critical services.
The issue is that this access is usually for a limited period. Third parties present challenges and bring additional risks, such as ensuring that access is managed correctly and, when required, deprovisioned quickly. With the rise of remote work during the COVID-19 pandemic, these concerns have only been exacerbated.
Many companies assume that virtually checking a photo of a new contractor’s driver’s license and passport ensures that they are always the person logging in and working from home every day. Unfortunately, this isn’t necessarily the case. The increase in remote work in the last year has made it easier than ever for fraudsters to attack your organization.
How Does Contractor Fraud Happen?
Let’s look at how identity fraud happens in an organization: When a new contractor gets hired, they receive access to numerous company resources like email and Slack. To gain access to these resources, they will likely use an active directory username and password as well as 2FA like a one-time code tool.
What happens if this contractor decides to outsource some or all of their work? The employee will provide a third-party outsourcer with their usernames, passwords, and 2FA codes. This can be done in seconds on collaboration tools like Whatsapp and Slack. Whether this person simply found someone cheaper to do their work, or they are getting paid by a third party to let them into the organization to steal intellectual property, this could have detrimental security consequences for your organization.
For example, your company likely did a thorough background check of your current employees and contractors. However, you did not do a background check of the subcontractor. This means that this individual could have a questionable background that is not suitable to work at your company. Your company resources and knowledge are now vulnerable to the will of the subcontractor.
How Does 1Kosmos Improve Third-Party Access Governance?
The reality is that nearly all organizations have a variety of these third-party individuals who need access to infrastructure, applications, and data. 1Kosmos improves the security of third-party access with our distributed digital identity platform that is both FIDO2 and NIST certified.
The benefit of onboarding contractors with 1Kosmos BlockID is the highest degree of identity assurance. When contractors are bound to their proofed identities with 1Kosmos, they have identity-based biometric authentication and a passwordless experience. In practice, contractors can utilize their secure mobile device for physical or logical authentication and step-up authentication required for privileged access. As a result, each access event is associated with a real, verified identity. Overall, organizations will eliminate the risk of contractor fraud and extra security exposures contractors introduce.
Are you interested in learning more? I invite you to register for our August 18th webinar where John Bogdan and Mike Engle will be discussing how to protect your SSO from vendor and contractor compromise.