Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.
Why gig workers can be a hidden cybersecurity risk
The gig economy is buzzing
The rise of gig workers is arguably the biggest employment story of the last decade. According to the Actuaries Institute, the gig economy in Australia grew nine-fold between 2015 and 2019, increasing by almost a third in 2019 alone. And while growth was set back by the pandemic, the overall trend is continuing upwards.
That’s in part because short-term workforces of freelancers and contractors offer companies the flexibility to scale up or down at speed, and integrate new services and products by hiring specialists on an as-needed basis. But it’s also because gig work is popular – a recent study showed that two out of three workers believe the benefits of being able to work flexibly outweigh the negatives.
The hidden risks of the gig economy
Gig work may have its upsides, but employing short-term workers can be a serious cybersecurity risk. Temporary workers are no longer just delivery drivers or spreadsheet-filling temps. They might be IT consultants, sales analysts and corporate strategists, handling sensitive data and administering high-level functions at your company’s heart. In particular:
Gig workers are more likely to work remotely, and to use their own devices and apps. Which means your data could be on their storage, or be shared through unsecured networks, like a cafe’s wi-fi.
There often isn’t time to run full onboarding or background checks – what’s the point of a screening process that will take two weeks if your hire will be done and gone by then?
Part-time workers may juggle two jobs at once, and think nothing of sharing a piece of code, intellectual property or a winning creative idea with both employers.
Temporary workers may be deep in your processes today, and your rivals’ tomorrow, opening the door to insider threats.
Gig workers may even be outsourcing their work to other freelancers without your knowledge.
The old model of cybersecurity is not fit for purpose
All this means that the old models of cybersecurity, which assume a finite staff working in a fixed location, will not stand up to present-day risks. Some freelancers may be dishonest, while others may simply be a little negligent. They may inadvertently lose data, open you up to cyberattacks or leak confidential information. The reality is that gig work is here to stay: your organisation needs a strategy to deal with it.
Thankfully, there are tactics that can help you keep the advantages of gig workers without compromising cybersecurity.
The first step is to analyse the risk and reward independent contractors bring to your business. That means assessing the potential impact of data exposure and cyberattack, and the safeguards required to limit that risk. This assessment may shape recruitment across your business: in some cases, gig workers will be integral to your efforts; in others they may not be worth the risk.
Contracting and onboarding can safeguard your company
Factoring security into your contracting and onboarding of gig workers is vital. An alarming 55% of freelance contractors said they’d had no onboarding process at all. Starter training can be shorter than that offered to permanent staff, but it’s a great opportunity to establish the rules of engagement and test gig workers’ understanding of cyber threats.
Contracts can require workers to use company laptops, or specify the encryption and antivirus software they should run on theirs. Breach notification rules, in which freelancers must immediately inform you if any sensitive data is compromised, can be included, with part of a project fee withheld if measures are not met.
This is also the point to set your exit strategy, and inform the worker what will happen at the end of the project with logins, physical passes, confidential information and any data they may have downloaded.
Technical controls keep risk at bay
The access and admin rights you give temporary workers should ideally be standardised across your organisation, rather than varying case-by-case, leaving less room for human error. Just-in-time provisioning can help you run authentication at scale.
There are various approaches you can adopt to ensure workers can access the data they need while limiting the risk to your security. Virtual desktops, where users can remotely access applications and data without having to store them on their devices, offer additional security, although the quality of the user experience can vary.
A less restrictive approach is browser isolation, in which web browsing is kept separate from local networks. Digital-rights management offers further controls by limiting the number of tasks – such as sharing or saving – that can be carried out with individual documents. Multi-factor authentication and increasingly sophisticated biometrics, meanwhile, can allow users to access sensitive parts of your network or encrypted files without compromising security.
Zero trust and monitoring
Increasing numbers of organisations are adopting a zero-trust approach, in which users and their devices are authenticated and each request on the network is evaluated and authorised separately. Zero-trust trust networks ensure any threat-actor must do more than simply get their foot in the door – their credentials will constantly be evaluated as they move through the network. As such it’s an excellent way to limit the damage short-term hires can do.
Monitoring your network opens up other security avenues. Pop-up messages which warn users when they access privileged information or apps can act as both an alert and an opportunity to open a dialogue with the user as to why measures are necessary. Reviewing patterns of use can also be valuable – a sudden shift may indicate an individual mixing work for your company with another project, or a potential security risk.
Building resilience in the gig economy
While all these risks can seem disheartening, they shouldn’t turn you off the immense talent pool gig work gives you access to. The old model of permanent staff in a single building is increasingly redundant, especially in out post-COVD world. Freelancers and contractors are an integral part of the future of work, and offers great benefits to companies who understand the value they bring.
Companies must revise their processes to accommodate gig workers, along with the way they monitor and authenticate users on their network. The correct policies can help your organisation harness their talents without compromising your cybersecurity.