Cyber security must sit at the heart of the expanding gig economy, writes David Higgins, EMEA Technical Director, at the security software company CyberArk.
As the economy slowly reawakens and life begins to return to some form of normal, high unemployment rates and social distancing requirements will have lasting effects on how and where we work. Many small businesses are struggling to make ends meet and a number of workers are already relying more on online-only gigs. Experts predict that post-pandemic, these trends will continue as we shift toward a gig economy that relies heavily on remote working.
In the UK, the gig economy already accounts for more than 4.7 million workers – and employs one in ten working-age adults. This signposts the increasing economic trend for professionals to opt for temporary work positions, rather than taking on a full-time job, and for organisations to deliberately contract independent workers for short-term engagements and temporary projects. Increasing connectivity is making picking up a ‘gig’ through your laptop or phone screen very easy, rapidly altering the way that people view and undertake work.
And it’s not just transforming the workforce picture for high-profile gig economy poster child firms such as Uber and Deliveroo either. Even conventional retail and corporate powerhouses now comprise of a mix of full-time, part-time and short-term workers to ensure they can remain agile, cost-effective, and able to adapt to changing market conditions in a fast-paced, technology-led environment.
Security vulnerabilities
The trend of companies hiring independent contractors and freelancers for each individual ‘gig’ is bound to increase, as budget constraints impact hiring for permanent positions in the post-pandemic world. This, combined with the recent suspension of IR35, will further increase the popularity of IT contracting – already a very common gig economy role.
This is for good reason and aligns with how modern enterprises approach IT in general. Being able to deploy more or less IT expertise as situations demand is akin to best practice usage of cloud services. It’s quick, it’s flexible, and it meets the changing needs of the business. Additionally, IT workers perform some of the more crucial roles in 21st century organisations because every business relies on information and technology in some shape or form to function. It’s assumed that large quantities of critical data and at least a few critical assets need to be stored, managed and processed for most business to serve customers, meet manufacturing deadlines, and more. With a large majority of the workforce continuing to work from home in the current coronavirus crisis, the relevance of these IT professionals is more apparent than ever. Without these teams ensuring constant uptime and seamless communication across channels, businesses would risk coming to a complete standstill.
However, the gig economy has some gaping security gaps. For companies that are proponents of this model, the risk framework has shifted away from a framework built around controlled environments, i.e. corporate networks. The perimeter – the first line of defence – was a known quantity and yes, it had holes, but generally IT departments were aware of where their weak points were. Now, the perimeter is at best distributed, and at worst non-existent. Put bluntly, the risk is that companies can no longer enforce security on the end device, as they may have no jurisdiction or control over it.
As part of company policy, permanent IT employees are subject to strict security oversight. When these roles are performed by remote third parties however, these policies tend to become lax. These contractors have access to as many critical systems as full-time staff do, and security should consequently be at the forefront of all interactions with them.
Additionally, the risk to the security of confidential data and credentials goes hand-in-hand with compliance risks. A breach, regardless of whether it took place outside the physical parameters of the office, can lead to large fines levied on an organisation – especially under the General Data Protection Regulation (GDPR). Such breaches can also negatively affect business continuity as well as the reputation of an organisation. At a time where businesses are under immense pressure to stay afloat amidst the global coronavirus pandemic, the aforementioned risks may even cause irreversible damage in some cases.
The path to robust cyber security
As flexible workers plug into an organisation’s network and access critical company networks from outside the physical boundaries of the office, organisations need to ensure they have stringent security measures in place to better manage the high risk that this entails. They must also limit the access contractors have to only what they need, instead of trusting them with sweeping access to everything. Risk factors include accessing networks from personal devices that lack enterprise-grade security, or from home networks that could be easily compromised. These risk factors are further amplified as much of the global workforce – full-time and flexible workers alike – are working from home during this Covid-19 crisis.
In the current scenario, we are a long away from a world where security teams can easily implement policy on devices within the conventional network. Now, often they will have no control at all over the device being used by the external party to connect in and, similarly, not be able to ensure the security of the location where the device is connecting from; for instance a home WiFi network.
According to our research, 90 percent of organisations allow third party vendors access to their critical systems and 72 percent put third party access in their top ten security risks. In summary, the problem is widespread and the risk is broadly understood. However, the issue is not being acted upon. The majority of organisations use approaches that are just not optimised for efficiency, and don’t consistently apply corporate security policies across cloud and hybrid resources.
Any solution for third party privileged access must have basic security best practices that mirror established policies for internal workers. Technological advancements mean that the shortcomings of obsolete technologies – such as VPNs – to secure remote workers can now be resolved with relative ease. The use of biometrics and Zero Trust policies can be employed to securely authenticate remote vendor access to the most sensitive parts of the corporate network. This can be done with the flexibility and ease-of-use that modern remote employees need by using the remote workers’ own mobile devices for biometric and multi-factor authentication.
As the gig economy becomes central to the new world of work, security policies need to match the versatility of remote and flexible working. The goal of completely securing endpoint devices is no longer viable as cyber threats have become increasingly sophisticated. Instead, organisations need to focus on implementing robust security policies at the point of connection, where third parties gain the access that they require into systems. This will reduce the threat landscape and exposure of their critical networks, limiting any lateral movement and damage caused by malicious actors entering the system through the hacking of a device.
