*Disclaimer: This article originally appeared in the EDUCAUSE, The Inside Line, blog series.
In higher education as in corporate America, we're witnessing a shift in employment strategies toward increased hiring of contingent workers—employees, either full-time or part-time, hired for one year or less, with a specific end date. A January 2014 report from the House Committee on Education and the Workforce called "The Just-In-Time Professor" states that 50% of university workers are now adjunct or nontenured faculty, a substantial increase from only 20% in 1970. Additionally, the American Association of University Professors states that nontenure-track positions of all types now account for 76% of all instructional staff appointments in American higher education.
Hiring contingent workers is often viewed as less costly than hiring full-time, salaried employees. Additionally, the temporary nature of their employment offers colleges and universities increased flexibility and provides a potential trial run before hiring someone in a salaried capacity, limiting the risk of making a potentially bad hire.
Yet with the continued growth of contingent workers in education also comes inherent security risks that can result in full-blown breaches if not properly managed. Contingent workers have higher-than-average turnover. When a full-time, salaried employee leaves a job, typically protocols are in place to make IT aware so that access controls can be changed accordingly. However, when a contingent worker leaves, the processes and due diligence to inform IT are often lacking, leaving orphaned accounts that a former employee may still access months or years later. Each orphaned account is a vulnerable entry point, susceptible to a breach by external hackers.
When it comes to IT management and security, contingent users must be handled as rigorously as regular, full-time users. The nature of their employment makes provisioning, access decisions, recertification, and deprovisioning a challenge for college or university IT staff already responsible for managing huge numbers of students. There isn't an authoritative source of identity for these contingent employees. Providing access to necessary systems is a manual, ad hoc process. I've found the best way to address these adjunct and nonpermanent faculty members is partially through leveraging technology and partially through enhancing partnership with your HR team.
Here are some recommendations for colleges and universities to limit the risks associated with contingent workers:
- Talk with HR and hiring managers about how they're partnering with their staffing suppliers and agencies. Make sure you and your HR team are on the same page about expectations as far as background checks and vetting. If they understand the focus you're placing on security, they will be more likely to adopt a similar thoroughness in their own vetting.
- Work with HR to become a part of the onboarding process for new adjunct professors and nonpermanent faculty so that all contingent workers are introduced to your security guidelines and processes. Make it easy for HR to include your security session within their broader onboarding process. Offer to create an on-demand training module or even a live classroom session covering your policies, procedures, and penalties.
- Control your access points. Limit system and privileged access to only those who need it to perform their job, and make sure you prevent information from being shared or walking out the door at the end of a contract. Some colleges and universities even make it policy not to provide privileged access to contingent workers.
- Integrate your security systems so that everything is connected, including physical and electronic access. If you have badges for physical access and other forms of authentication for computer access, integrate the systems so there's a single user ID for both. This integration provides a better user experience, and it's easier to track an individual across all systems.
- Automate your deprovisioning/offboarding process to protect yourself from human error. Relying on human notification to deprovision an account brings the possibility that an account could remain open after an employee leaves the company. That orphaned account creates an access point for a potential security breach. Don't let there be even a chance of someone accidentally leaving access open to an orphaned account.
- Use time-based access, which is equal to the length of the employee's contract. Then require a new entitlement to be granted if that contract is extended. Doing so will help ensure that staff who are no longer employed do not have access to the network.
- Prioritize reporting so you can see irregular activity patterns before they become a problem. Taking a proactive approach to problems will prevent headaches down the road. If possible, you could even try using your data to predict problems.
- Use the right tools. A good solution makes following the previous tips much easier. The right identity and access management tool serves as the authoritative source for managing contingent workers, automates provisioning and deprovisioning, and offers multifactor authentication capabilities needed to minimize and even eliminate those security risks associated with contingent workers.
The hiring of adjunct professors, nontenured faculty, and other contingent staff doesn't appear to be slowing down in education, so make sure you're properly securing their access. By applying the proactive steps listed here, you can minimize any potential risk they bring.