5 Ways to Protect Your Data When Working With Contractors
Small businesses frequently need to hire outside contractors for specific projects because it is often cost or otherwise prohibitive to hire full-time headcount, especially for non-recurring projects.
And while this practice can be very cost-effective, it’s important to note that these contractors will be working with your company for a short time, and then you may or may not work with them in the future.
Contractors often use their own equipment (phone, laptop) and may, during the course of a project, have access to your client list and databases. So, what are some best practices to protect your valuable data and your clients’ privacy? Here are five to start:
Put It In Writing
It seems like a no-brainer, but you’d be surprised at how many small business owners don’t bother to create documentation when they bring in contractors. First, there is the concern about possible legal expenses, but also about whether agreements would be enforceable – either legally or financially.
Guenther Berg, President of Berg Logistics Translation LLC, stressed the importance of signing an NDA (non-disclosure agreement) with independent contractors. After reading and signing this document, all parties share an understanding of the scope of the project and expectations, including keeping access to critical information (which could include client data) confidential.
In fact, certain jurisdictions, like New York City, now require documentation when working with contractors, so make sure you are in compliance with the law when you put it in writing.
As you’re going through the process of evaluating potential contractors, you may be corresponding with them via their company email. It’s easy enough to continue using the contractor’s email after the project has started, but you relinquish control and access to an audit trail.
Instead, Phil Gerbyshak, Chief Digital Officer of Vengreso, advises, “While it costs more, add contractors to a corporate Microsoft 365 or Google Apps account that you manage and own. Use only that to communicate with them and share files with them.”
This also could include forgoing email for an internal communication system, like Microsoft Teams, that allows you to follow conversations and monitor projects.
Additionally, “BYOD” (bring your own device) is definitely a trend, but allowing contractors (and employees for that matter) to use their own devices can be an absolute nightmare from a security standpoint. If you don’t have an IT wizard on staff – and most small businesses do not – you may want to insist that contractors use your equipment.
Marina Erulkar, Principal of Hampstead Solutions LLC, makes the tactical suggestion that small business owners carve out a subset of the entire data warehouse, creating what’s called a data mart. She says, “Limit access to data by creating data marts populated with only the data necessary for contractors to complete their assignment. The data marts and all data should be physically present in your infrastructure and should not be downloadable.”
Erulkar also believes that you should not give contractors the keys to the castle recommending, “Exclude all confidential data, such as social security or account numbers, for example. Limit customer information, but if it must be provided, mask it, if possible.”
Buy It Yourself
Anyone who has tried to buy a domain name for their business and endured the constant upsells may be tempted to just let someone else do it for them. This can be a costly mistake for your business.
Jill Ressler Duffy of Jill Duffy Designs cautions, “Own your website domain and have your hosting account under your own credit card. Be sure to have your username and password associated with both somewhere safe. Do not let a designer make that purchase for you. I have had customers who lost their domain when their original designer disappeared. They had to change their website address for their business – a complete nightmare.”
Train for Compliance
Depending on your industry, you may be held to rigid regulatory standards. Healthcare and Financial Services are examples of highly regulated industries.
To ensure regulatory compliance Erulkar stresses, “All resources, whether employees or contractors, should complete data security and privacy training. Depending on your industry, you may be required to comply with GLBA (the Gramm-Leach-Bliley Act), PCI-DSS (Payment Card Industry Data Security Standard), HIPAA (Health Insurance Portability and Accountability Act), in addition to your own company’s requirements. This training should include tests so that comprehension is assured and documented. Routine reviews and retesting should be part of compliance planning.”
Being prudent with what you share with contractors can save you huge headaches down the line. Hire reputable, reliable professionals and err on the side of caution with what you share.
Small business owners have enough to worry about. A data breach or pilfered client list is something you definitely want to try to avoid, so make sure to be smart about your practices upfront to save those headaches down the road.