The gig economy, whereby workers are paid for each individual project or job that they do, has accelerated exponentially in the last couple of years. Prior to the COVID-19 crisis, it was estimated to account for more than 4.7 million workers, or more than 10% of working-age adults.
In this era of smart devices, the workforce is becoming more mobile and work can increasingly be done from anywhere. As a result, job and location are being decoupled. That means that freelancers can select among temporary jobs and projects around the world, while employers can select the best individuals for specific projects from a larger pool than what is available in any given area.
The average UK workplace now comprises of a mix of full-time, part-time and short-term workers. Gig economy workers allow companies to ensure they can remain nimble, cost-effective, and able to adapt to changing market conditions in a fast-paced, technology-led environment.
Finding the security vulnerabilities
Businesses’ increasing tendency to employ independent contractors and freelancers instead of full-time workers is making IT contracting an increasingly common gig economy role, with the recent suspension of IR35 due to the pandemic extending this trend.
It’s a development that is line with how modern enterprises approach IT in general. Being able to deploy more or less IT resources as required is considered best practice for using cloud services. It’s quick, it’s versatile, and it meets the changing needs of the business.
It’s not inherently secure, however. The risk model has moved from a model built around controlled environments, i.e. corporate networks. The perimeter – the first line of defense – was a known entity and yes, it had flaws, but IT departments were usually aware of where the weak points were.
In modern IT environments however the perimeter can be described as ‘distributed’ at best, and at worst non-existent. Simply put, the risk is that companies can no longer enforce security on the end device, as they may have no jurisdiction or control over it.
IT workers play fundamental roles in 21st century organizations because every business is reliant on information and technology in order to function. Large amounts of critical data and at least a few critical assets will need to be stored and managed in order for most business to serve customers, meet production deadlines, and more. It is therefore common for permanent IT employees to be subject to strict security supervision. When these roles are performed by remote third parties, short-term contractors or non-permanent staff however, security must also adapt.
Polishing the security armor
Plugging into an organization’s network to access critical company systems from beyond the physical boundaries of the workplace is now commonplace. Companies need to ensure they have stringent security measures in place to better manage the high risk that this entails. They must also limit the access of contractors to only what they need, instead of trusting them with sweeping access to everything. Risk factors include accessing networks from personal devices that lack enterprise-grade security, or from home networks that could be easily compromised.
In this scenario we are a long way from a world where security teams are able to enforce policy on devices within the traditional network. Now, often they will have no control at all over the device being used by the external party to connect in and, similarly, not being able to ensure the security of the location where the device is connecting from; for instance a home WiFi network.
Our previous research indicates that 90 percent of organizations with more than 250 users grant third party vendors access to their critical systems, and 72 percent position third party access in their top 10 security risks, indicating it’s a familiar problem for security teams.
That doesn’t mean it is being acted upon though. The majority of organizations use strategies that are just not optimized for efficiency, and don’t systematically enforce corporate security policies across on-site and cloud infrastructure. Any solution for third party privileged access must provide basic security best practices that mirror established policies for internal employees.
Technical advances also mean the shortcomings of obsolete technologies – such as VPNs – to secure remote workers can now be overcome with relative ease. Usage of biometrics and Zero Trust policies should be employed to reliably authenticate remote vendor access to the most sensitive parts of the corporate network. This can be achieved with the flexibility and ease-of-use that modern remote workers need by using the remote workers’ own mobile devices for biometric and multifactor authentication.
In the world of work today, the physical boundaries of our workplace have become increasingly blurred. This is especially the case as we move into a post COVID-19 workplace, where flexible working is expected to be the new norm. In such environments, endpoint devices may have varying levels of security and the office environment may be a café, car or home office. Hence, cybersecurity needs to match the flexibility of modern working.
The place where organizations can reliably enforce policy is at the point of connection and the access that they require into systems. This needs to be acknowledged and implemented.