While it may not be the first thing you consider when hiring a contractor, cybersecurity concerns are not to be left by the wayside.
Contractors may work onsite to perform specific roles within your company. This includes individuals hired through staffing agencies or temp services. Another type of contractor might be onsite to perform a specific job; for example, an electrician making a necessary repair. In today’s digitized world, nearly every employee is guaranteed partial or full exposure to at least some computer systems.
Know that it’s okay to set reasonable expectations.
As a business owner, use your judgment to determine how central a role cybersecurity discussions need to play in your relationship. Some of this is situational, but all of it should be identified in writing, within a specific cybersecurity policy that addresses third-party contractors. If you haven’t considered this before, a cybersecurity expert can help you get started.
Determine who is responsible for cyber training.
If the third-party contractor in question is a staffing agency, make it clear to them that a minimum level of cybersecurity knowledge is an important criterion for you. Navigating HR concerns around training responsibilities can be tricky, but at least according to OSHA standards, worker training is a joint venture between the company the contracted worker performs work for and the staffing agency itself.
Determine responsibility for cyber liability.
Don’t wait until something happens to examine both liability potential and risk. To use the example we started with, unless the visiting electrician is staying for longer than an hour or two or working directly with your computer systems, it probably isn’t necessary to make a case about your cybersecurity policies. If your rules include keeping rooms with computer server equipment locked and secured, and this is primarily where the electrician will be working, a simple conversation will suffice.
By comparison, if you’re hiring a third-party contractor or one of their temporary workers to plug a skills gap, it’s worth asking both the contractor and their worker(s) to familiarize themselves with a paper copy of your policies and signing a form saying they’ve done so. This protects you in the event of a breach: if human negligence is discovered to be the reason, nobody can say they hadn’t heard of your cybersecurity standards and procedures.
Ask about the contractor’s policies.
If it’s relevant to the work, set aside time to talk with your contractor, or their IT specialist, about the cybersecurity measures they take. You can even ask if their internal protocols are written down, and if they’d be willing to share some of that information with you. This would give you the opportunity to see how well those policies align with yours. Granted, this will probably be mutual and cut both ways – and if you haven’t had a chance to brush up your own cybersecurity protocols, now is the time.
Cybersecurity considerations around third-party contractor work can be challenging, but this is where strategic cyber consulting can come in.