The weakest link: Securing your extended workforce

Like many organizations, we work with third-party vendors to expand our business capabilities. However, third parties don’t necessarily provide the same security standards and protocols. This makes them a prime target for attackers, who may view them as the easiest entryway into the core organization.

As my colleague Jen Waugh wrote in her recent blog outlining how Okta fosters a security culture, the data Okta holds — both our own and that of our customers and partners — and the importance of our products make us a target for cyberattackers. 

By proximity, that means the target is also on the backs of our extended workforce: contractors, consultants, vendors, service providers, acquired companies, and partners with physical or logical access to our systems.

Threat actors may see this group (for simplicity, I’ll refer to “contractors,” “third parties,” or “extended workforce” interchangeably) as a comparative weakness in our overall attack surface. Part of my job is making sure our adversaries are mistaken in this assumption by securing our extended workforce with the same safeguards that are in place for our own employees.

In fact, that’s the TL;DR of this post: I recommend that every organization enforce the same strict controls across their entire workforce, both in-house and extended. Of course, defining that objective is just the first step, so I’ll share a few ways in which we at Okta have worked to achieve it.

Before I dive into those details, though, let me first note that every organization should also implement a third-party risk program to drive a comprehensive due diligence process when selecting and monitoring third-party service providers. This topic could be an entire post in itself, but here I’ll simply mention that such a program should include:

• Evaluation of third-party information security controls
• Contractual assurance for third-party security responsibilities, controls, and reporting

Let’s take a closer look at how Okta secures our extended workforce.

Hardened and managed devices, with no exceptions

One of the most serious and (unfortunately) common security mistakes organizations make is allowing third parties to access internal systems from devices that aren’t managed or locked down.

It’s worth pointing out that even companies with strict device policies in place can be tempted to make exceptions, especially for urgent projects with new partners. “We’ll just grant temporary access until we can ship them a hardened device…” may sound prudent under the specter of a looming deadline, but one crack in the armor is all that a threat actor needs.

Today, contractors cannot access Okta systems unless they’re doing so from a hardened Okta device or (in a small number of BYOD scenarios) one running our device management software. In addition to phishing-resistant authentication, these devices enforce extra security practices such as VPN use and device security posture assessments.

It wasn’t always this way, though, so a lot of the work we’ve done to harden our attack surface has involved delivering on a two-pronged approach of:

• Ensuring that every existing contractor was issued a hardened device and an offline security key (in our case a YubiKey)
• Updating our contractor onboarding processes (more on this in a moment)

While this can be a heavy lift, particularly for large companies like Okta, strengthening your security posture is worth the effort.

What we’ve found helpful is including security as a prominent element of our values and doubling down on our commitment to security via the Okta Secure Identity Commitment. By genuinely focusing on security as an organization, we regard the costs involved in outfitting our entire extended workforce with hardened devices as investments in our security posture. These investments help us avoid or minimize the financial, legal, and reputational impact of security incidents.

Compulsory security training

As part of the onboarding process, all contractors working with Okta are required to complete our mandatory training, including:

• General security awareness, which explains, among other things, how to protect our company, computer systems, data, people, and other assets from threats or criminals
• Data privacy, which covers the importance of data privacy, data privacy principles, and best practices for handling and protecting sensitive data
• Physical security, which addresses security within our facilities (as some contractors may need to visit our offices) and securing sensitive information in the physical world

And we’re very serious about this. Contractors who neglect their responsibilities will get a ping from me, which is probably not the highlight of their day. All of these modules are important, but general security awareness training is especially vital.

With general security awareness training, what we’re trying to achieve is in the module title: create general security awareness. So, in addition to specific guidance — from taking care when admitting outside participants to a meeting, to not leaving passwords, API keys, or encryption keys in repositories — we also try to raise awareness of the general threats a contractor might encounter.

Guarding against social engineering

For example, Okta employees are regularly targeted by threat actors seeking access to our systems, and social engineering — especially phishing and pretexting — is one of their favored approaches. Of course, threat actors are quite adept at discovering third parties that work with us and then identifying individual employees within those third parties. Consequently, those individuals are subjected to the same social engineering tactics as our own in-house team.

A contractor might not think much of adding a new bullet to their LinkedIn profile, explaining that they do some work with Okta. And they might not think anything is amiss when they receive a connection request from a professional-looking profile, or when that new contact DMs them and starts asking questions as part of “prepping for a job interview” or some other plausible reason.

Or, to pick a more extreme — but unfortunately all-too-real — example, the typical person almost certainly won’t connect the dots if they connect with someone on a dating app, meet up in person, and get to talking about what they do for a living. We know that training isn’t a magical solution, but what it does accomplish is to inform or remind contractors that they are targets — not just at work, but in their personal lives, too.

That added awareness could lead to a little bit of suspicion. That little bit of suspicion might be the difference between becoming a victim of social engineering versus connecting the subtle dots that show something is a bit off. And connecting those dots could allow the targeted individual to hit the brakes or report the threat before damage is done.

End-to-end phishing resistance

With phishing being an everyday threat, we’ve invested considerable time and effort to embed phishing resistance throughout the entire contractor lifecycle — from onboarding to offboarding. For example,  we issue a YubiKey to every contractor. This offline security key has to be activated before the contractor can access any of our systems, and it’s also used as part of our Identity verification process if a contractor needs to work with our help desk.

(And for any readers who’ve thought about rolling out YubiKeys to their workforce but held back due to the manual effort involved, Okta’s native integration with Yubico’s FIDO Pre-reg offering has made the process highly scalable.)

Similarly, device-based biometric authentication, plus tools including Okta Device Access, Okta FastPass, and Okta Verify strengthen security without adding friction that can impede someone’s efforts to do their job.

The best time to start was yesterday, the second-best time to start is now

In today’s threat environment, securing your organization requires implementing effective controls across your entire workforce, including the long list of third parties that have access to your internal systems.

There really can’t be any exceptions.

Of course, getting to that point from wherever you are today is a journey — but with support from your leadership team, it really is possible.