Giving a contractor access to your information and assets comes with the same security risks as for permanent employees, and some extra risks.
The main risk is that a current or former contractor will accidentally or maliciously misuse their trusted access to harm your organisation’s people, customers, assets and information, or reputation. This risk is known as the ‘insider threat’.
To protect your information and assets:
- use the same personnel security measures with contractors as you would with permanent employees
- consider extra measures to counter the security challenges that contractors can present.
Extra security challenges with contractors
The following challenges are common with contractors.
Gaining commitment to your security measures
If you don’t induct a contractor to your security culture or make them feel a part of the team, their commitment to your security measures may not be strong.
Knowing about competing interests
A contractor may work for a competitor before, during, and after their contract with you. If you don’t ask about conflicts of interest, you can’t assess the risks or manage them.
Renewing or extending contracts
If you renew or extend a contract without re-screening the contractor, you can’t easily identify new risks arising from changes in the work environment or the contractor’s life.
Moving contractors from one assignment to another
If you move a contractor from one assignment to another with a higher security profile without proper checks and a security handover, you raise the risk of problems occurring.
Guidance to help you manage contractors
To address the insider threat and extra risks with contractors you can:
- follow the process and tips in our 'Guide to hiring and managing contractors' (available from the Supporting Documents section at the end of this page)
- print the contractor management lifecycle and checklist to support your work with contractors.
Page last modified: 18/08/2019