When Rachel Phillips, a freelance project manager, ran a digital media project for Victoria’s Secret in 2012, the company provided her with a laptop, password access to the network and an ID card to get into the building. Her contract for the project was very clear about the expectations for her work — but there was nothing in it about what would happen once the project ended.
“When the time came for offboarding, I just dropped off my equipment at the front desk and left,” she said. She later realized she forgot to turn in her ID card, but no one ever called her about it, and she’s not sure if it even still works.
Such lapses in security related to departing contract workers are surprisingly common, said Chris Dwyer, research director for Ardent Partners, an analyst firm in Boston. He notes that it is not uncommon for companies to discover that temporary employees have access to the ERP system months after they left because the company had no formal offboarding process.
“Companies fail to realize how much corporate information contractors have access to,” he said.
To avoid these security risks, companies need to put as much thought into the end of a project as the beginning. Ideally, the contractor’s access to the network should be automatically shut off on a predetermined end date as part of the contract, Dwyer said. If the project goes over that date, a manager can request a deadline extension, or have access reinstated if it gets shut off too soon.
“The time lost getting a contractor back online is a much lower risk than having them walk away with all your company information,” Dwyer said.
The contract should also stipulate what the contractor should do with any company equipment, including laptops, phones, key fobs and passcodes when the project ends, Phillips said. And there should be a formal sign-off when the handover is made.
That adds security for the company and the contractor, she said. “A sign-off protocol ensures everyone knows who has the equipment, so they can be held responsible for it.”