Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/30/2007
09:12 AM
Keith Ferrell
Keith Ferrell
Commentary
50%
50%

Temp Workers Pose Large Security Challenge

Adding extra help for the holiday rush -- or any crunch-period -- requires taking extra time to seal any potential security holes. But according to Websense, many of you won't.

Adding extra help for the holiday rush -- or any crunch-period -- requires taking extra time to seal any potential security holes. But according to Websense, many of you won't.The security company's research into UK temp worker access to company information holds some shocking findings -- but, frankly, few surprises.

More than 60 percent of the temp-hires surveyed were given a current employee's existing log-in; more than half were allowed to share an existing e-mail address.

More than 35 percent were given passwords for company systems.

More 90 percent could print whatever they wanted from the company's files.

Get this: 42.1 percent of the surveyed short-timers were allowed to connect personal digital devices -- iPods, thumb drives, etc. -- to company equipment... and thus to company networks and information.

Don't even ask about unfettered temp access to the Internet or social networking sites. Websense did, and the answers showed that anything goes as far as temps going anywhere on the Web they want. On your time, on your equipment, with your passwords.

Needless to say, few of the temps were asked to read, much less sign and agree-to, any sort of network-use policy. 78.9 percent, in fact, hit the access ground running: passworded but policyless.

Now it's neither fair nor accurate to tar all or even most temp workers with the suspicion-brush. Most of the temps you hire will work responsibly and professionally; some of you will hire some of them as permanent employees.

What is fair and accurate is the conclusion that lame security policies as far as temp workers go are reflections of the ongoing focus on getting jobs done quickly and economically, rather than getting jobs done quickly, economically and securely.

In other words, taking on temp workers to help with the workload means taking on the extra -- but essential -- work of limiting their netwrk access, educating them about what you do and don't permit with company equipment and log-ons, creating and having them sign enforceable security policies before they start their jobs, however temporary and short-time those jobs are.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Tell him only Kevin Mitnick and the President know the launch codes.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...