Best Practices, War Stories
Louis Evans

Incoming Cyber Risk: How Your Contractors Can Undermine Your Security

At Arctic Wolf, we have regular “war story” roundtables, where our battle-scarred cybersecurity engineers share details of their latest travails in the AWN CyberSOC™ trenches. In recent war story meetings, I’ve seen the distinct emergence of a new category of cyber risk: third-party contractors.

In one story after another, our customers invited outside contractors onto their business sites and networks. These contractors spanned the gamut: hardware maintenance, IT vendors, business consultants, and even outside security contractors. Each was trusted with important permissions.

Ironically, it turned out that these contractors themselves posed the real threat. Here are some examples:

  • A maintenance technician’s laptop was infected and began attacking local systems
  • A technical contractor’s laptop was too seriously compromised to install anti-malware software; nonetheless, the contractor refused scans and kept connecting the laptop to the business network
  • At one company, a risk assessment consultant created unauthorized admin-level accounts in company systems to ease their work responsibilities—but leave their customers less secure
  • A security vendor brought in to make improvements misconfigured the client’s IDS and firewall products, leaving the company wide open to attack

Contractor Threat blog image

When you think about it, it’s not surprising that contractors pose one of the biggest risks to your organization’s security. You put a lot of effort into securing your network perimeter and monitoring it for cyberattacks, yet contractors walk into your office with their own hardware and plug them right into your business systems. And while you establish policies and introduce specific tools to secure your employees’ laptops and other devices, contractors don’t need to comply with those policies.

What’s more, although employee insider threat is a real risk, most employees don’t want to be fired or disciplined for taking unauthorized risks with your systems. But contractors are incentivized to get in and get out as fast as they can—whether that’s through carelessness, cutting corners, or breaking rules. That makes them a significant risk to your cybersecurity.

Think hiring consultants from big name companies will help protect you? Think again. The contractors listed above came from industry leaders in their respective fields. And no company in today’s economy, from Fortune 500 to a mom-and-pop shop, can afford to go without contractors entirely.

Almost nobody is talking about third-party contractor risks, despite the oversized role it plays in today’s cybersecurity challenges. So, what can you do to protect your business? There are three major components to a contractor risk management strategy.

First, establish security policies for contractors you bring in, and communicate these policies. For example, you could require that contractor laptops be scanned for vulnerabilities using AV software to meet your company’s hygiene policies.

Second, implement solutions that can control the scope of a contractor breach. Entitlement management solutions, which provide only fine-grained privileges to specified users, are essential. Network segmentation also plays a role, where contractors are only allowed on a company’s guest network.

Third, get a threat detection and response solution in place. This enables you to continuously monitor your network and systems for anomalous activity.

That third step is particularly crucial. No matter how well you build your defenses, cyber risk will always exist and cyberthreats will still sneak through. In each of the war stories above, our managed detection and response solution was able to identify the contractor threats either at the time of breach or immediately after. Effective detection allows prompt remediation, which minimizes the business impact of the breach.


You can learn more about our MDR solution.