No enterprise is an island. In a connected world, a business cannot function without multiple relationships with third parties \u2013 outside vendors, contractors, affiliates, partners and others.That can be a very good thing for growing a business. But it can be a very bad thing for security. While the careless insider still tends to be viewed by experts as the weakest link in the security chain, the third-party contractor (with its own group of potentially careless insiders) is now sharing that spot, creating what is somewhat euphemistically called a major \u201cpain point.\u201dRon Raether and Scot Ganow, attorneys with Faruki Ireland & Cox, noted in a recent white paper\u00a0for NetDiligence that while firewalls, user credentials and strong passwords remain important, the protection they provide is incomplete.The exploding number of online access points to companies means, \u201cour walled fortress of firewalls and the like now has hundreds and thousands of doors. These doors are guarded by sentinels that allow any variable packet (think an employee badge without a picture) to pass through that wall,\u201d they wrote, in the paper titled, \u201cTraitors in Our Midst: The risk of employee, contractors and third parties in the age of the Internet of Things and why security in depth remains critical to risk management.\u201dThe high-profile breach last December of retailer Target, enabled by an email phishing attack on a heating, air conditioning and refrigeration contractor, is just one example \u2013 an employee of that contractor clicked on a malicious link, leading to the compromise of millions of credit cards.Paul Trulove, vice president of product management at SailPoint, said similar breaches are, \u201call too common, especially within the communications and IT sectors. Just last week, AT&T disclosed that the personal information of its mobile customers was compromised by one of its third-party vendors,\u201d he said. \u201cThe breach allowed employees of a service provider to access customer account information, including dates of birth and Social Security numbers.\u201dIronically, a lot of contractors have the same access as a permanent employee \u2013 or even deeper access in cases where an IT function is being outsourced.It is not a new problem either. MacDonnell Ulsch, CEO and chief analyst at ZeroPoint Risk Research, wrote nearly a year ago in SearchSecurity that, \u201calmost without exception, a third-party vendor or affiliate is involved,\u201d in a successful cyberattack.There are a variety of reasons for the pain. Jody Westby, CEO, of Global Cyber Risk, said a major one is that too many companies have not focused on security in contracts with third-party associates. \u201cMost companies have barely begun to get their arms around managing security issues associated with arms-length outsourcing IT functions and business processes,\u201d she said.\u201cCompanies find they have little bargaining power in requesting security measures from these providers. The third-party market blossomed and seized the opportunity before its customers thought to require security measures as part of the bargain. But the reality is that third-party providers are rich targets,\u201d she said.The reality is that third-party providers are rich targets.Another reason is that the access of third parties is not always tracked as well as it is with regular employees. \u201cBased on a relationship\u2019s longevity and personal interactions, third-party trust levels sometimes meet or exceed the level of insider trust,\u201d Ulsch wrote.Trulove agrees. \u201cThey are not salaried employees, so they often bypass HR when entering an organization and are not tracked through any centralized system,\u201d he said. \u201cIronically, a lot of contractors have the same access as a permanent employee \u2013 or even deeper access in cases where an IT function is being outsourced.\u201dA third is that outsiders generally bring their own hardware and software with them, which has, and will continue to be, used in other networks that may not have been secure \u2013 something experts call \u201cpoor hygiene.\u201dThat problem can be exacerbated by the reality that companies focus more on cost than on security when outsourcing services. James Arlen, senior security consultant with the Leviathan Security Group, calls it a \u201cmaturity gap,\u201d where companies outsource to vendors that are \u201clean, mean and cheap \u2026 but are the weak link through which bad things happen.\u201dAnd according to Trulove, the use of third parties is increasing. He cited statistics that show contract workers have increased from less than a half of 1% to 2.3% since the 1980s; and that 42% of employers intend to hire temporary or contract workers this year \u2013 up 14% over the past five years.How can companies lower those risks. There are a number of ways. Among the basics are to change the passwords on every connected device a company and its contractors buy and to use both risk-based and multi-factor authentication \u2013 the kinds of things Arlen calls \u201cInfosec 101.\u201dThere is obviously much more to good security than that, he said, \u201cbut we are not doing a good job of the basics, which we\u2019ve known in detail for the last 15 years.\u201dThe fix we need is meta-compliance \u2013 actual security rather than theatre which smells like security.Beyond the basics, experts say it is mandatory for companies to pay much closer attention to their contracts with third parties \u2013 Service Level Agreements (SLA) or Business Associate Agreements (BAA).Ulsch wrote that those contracts should, at a minimum, address the following components:Information security;Information privacy;Threat and risk analysis;Compliance obligation range;Enforcement mechanisms;Internal audit access and disclosure requirements;Foreign corrupt practices management.Raether and Ganow recommend that a BAA should require third-party contractors to, \u201ccomply with the same security framework imposed within the company.\u201d And, \u201cwhere appropriate, companies should secure the right to audit their third party contractors and then actually complete such audits.\u201dTrulove offered several recommendations for what he called a, \u201cgovernance based identity management strategy,\u201d that include:\u201cContinuous review of what information contractors can access, to make sure it is appropriate for the work they are doing. To do that, a company needs a system that allows for centralized visibility into that access.\u201cSince contractors pose a higher security risk to the network, create an identity risk model to understand better where the hot spots are. Details like whether this contractor is working with a competitor are critical.\u201cUpon termination of a contract, clean up the access environment. Simply severing network access isn\u2019t enough. Put an automated system in place to terminate all access just like you would to an employee. During onboarding, capture the length and nature of the contract so that access expires automatically.\u201dEven with all that, Ulsch noted that protecting the integrity of information remains the primary responsibility of the company. \u201cWhile various regulations may also hold third parties accountable, never assume that the obligation of compliance is assignable to another company,\u201d he wrote.Finally, Arlen said a major weakness in BAAs or SLAs is that too often they are, \u201ceither focused on a specific compliance regulation \u2013 be it PCI or HIPAA \u2013 which is itself not a \u2018security\u2019 thing but rather a \u2018cover-asses-in-these-specific-ways\u2019 thing.\u201cThe fix we need is meta-compliance \u2013 actual security rather than theatre that smells like security,\u201d he said.