Managing contractors

Giving a contractor access to your information and assets comes with the same security risks as for permanent employees, and some extra risks.

The main risk is that a current or former contractor will accidentally or maliciously misuse their trusted access to harm your organisation’s people, customers, assets and information, or reputation. This risk is known as the ‘insider threat’.

To protect your information and assets:

• use the same personnel security measures with contractors as you would with permanent employees
• consider extra measures to counter the security challenges that contractors can present.

Extra security challenges with contractors

The following challenges are common with contractors.

Gaining commitment to your security measures

If you don’t induct a contractor to your security culture or make them feel a part of the team, their commitment to your security measures may not be strong.

Knowing about competing interests

A contractor may work for a competitor before, during, and after their contract with you. If you don’t ask about conflicts of interest, you can’t assess the risks or manage them.

Renewing or extending contracts

If you renew or extend a contract without re-checking or re-verifying the contractor, you can’t easily identify new risks arising from changes in the work environment or the contractor’s life.

Moving contractors from one assignment to another

If you move a contractor from one assignment to another with a higher security profile without proper checks and a security handover, you raise the risk of problems occurring.

Guidance to help you manage contractors

To address the insider threat and extra challenges with contractors, follow the process and tips in our Guide to hiring and managing contractors (available from the Supporting Documents section below).

Page last modified: 4/05/2022