6 Tips to Reduce Contractor Account Compromise

Many companies rely on contractors to satisfy various operational needs and give them user accounts with access to sensitive and business-critical data. If you are one of these companies, you could be putting your data at increased risk. An attacker who manages to take over a contractor’s account might be able to steal or encrypt your data. The more contractors you have, the wider your attack surface. Unfortunately, contractors often have a lax attitude about security because they don’t realize how tempting a target their accounts are for attackers.

The risk of contractor account compromise appears to be growing. Both the FBI and TrendMicro warn about an increase in business email compromise (BEC) schemes, phishing scams, and other attacks aimed at stealing credentials, including those of contractors. In March 2020, a parts manufacturer for Tesla and SpaceX suffered a ransomware attack and the criminals uploaded some of the sensitive data they stole to a publicly accessible website to convince the company to pay the ransom. In June 2020, hackers gained access to systems owned by U.S. military contractor Westech International and stole secret nuclear missile data.

The financial ramifications of such breaches can be enormous. The 2019 Ponemon report notes the average cost of a data breach is $3.92 million. No business wants to incur any additional expenses in the current economic conditions, let alone that kind of bill. To avoid damage that could jeopardize your business, you need to focus on user account security right now and make sure you have sufficient control over the activities of your contractors.

Here are six steps to minimize the risk that contractor account compromise poses to your data and systems.

Include Third-Party Threats in Your Risk Management Program

The first step in minimizing the risk of contractor account compromise is to evaluate the cyberthreat landscape and identify security gaps that could make you vulnerable. Specifically, identify the systems that are least protected and therefore serve as easy and likely entry points for attackers. This includes all contractor accounts that have access to your data. Then decide which gaps are the most critical for your security and fix them as soon as possible. Finally, make sure that the risk of the contractor account compromise is included in your security strategy—this will help you be more prepared for attacks.

The notorious 2013 Target breach illustrates the value of this step. Culprits used a phishing attack against Target’s contractor Fazio Mechanical Services to steal their credentials to Target’s network and then installed malware on the retailer’s POS devices. If Target had included contractor breach in their risk management program, they might have implemented measures to reduce the threat, such as adding extra layers of protection to safeguard the operating system memory of its POS devices.

Follow the Least Privilege Principle

Since any account could be misused by its owner or compromised by an attacker, it’s critical to make sure that each user account, including each third-party account, has the absolute minimum permissions necessary to do their job. This reduces your attack surface area by limiting the damage that the account is able to do. Pay attention to privileged users, since those accounts can do the most harm.

Monitor User Activities

The longer attackers can go undetected, the more damage they can do. According to the 2019 Ponemon Cost of Data Breach Study, organizations that spend more than 200 days on incident detection have a 37% higher cost of a breach compared to those who detect incidents early. Therefore, it is essential to monitor what’s going on in your IT environment, including the activities around contractors’ accounts. User behavior monitoring will enable you to detect unusual spikes in activities, such as a suspiciously high number of files being copied or deleted, and take action before it is too late.

Implement Network Segmentation

A key security best practice is to divide your network into multiple, smaller, isolated networks that are not visible from the outside. Following least privilege, grant contractors access only to the network segments they need to deliver the specified services. This practice will help you contain threats, including compromised contractor credentials, and keep them from reaching your critical assets.

Disable and Delete User Accounts Promptly When They Are No Longer Needed

As soon as a third party finishes delivering its services, disable the associated accounts. This will help you avoid a situation where a hacker uses a stale contractor account to get access to your IT environment. To implement this best practice, you need to work closely with your HR team and management to know when contracts end, and also regularly check for accounts that are not being used.

Implement Multi-Factor Authentication

According to Microsoft, multi-factor authentication (MFA) can block more than 99% of account compromise attacks. Multi-factor authentication provides an extra level of protection that makes it difficult for attackers to gain access to your network, even if they were able to steal the valid, current credentials of a contractor’s employee.


Gartner says that 53% of senior leaders report an increased dependence on third parties, and in some cases, fourth and fifth parties, but just 28% of them continuously monitor those external parties. To minimize your risk of a contractor breach, you need strict control over your IT environment. Implementing the measures detailed above will help you to detect attacks in their early stages so you can take prompt action to minimize their impact on your business processes, financial stability and customer trust.

Avatar photo

Ilia Sotnikov

Ilia Sotnikov is vice president of product management for Netwrix, a provider of information security and governance software. He has over 15 years of experience in IT management software market. Prior to joining Netwrix in 2013, he was managing SharePoint solutions at Quest Software (later acquired by Dell).

ilia-sotnikov has 4 posts and counting.See all posts by ilia-sotnikov