New paradigm of gig workers creates new data security risks
By now, we have seen fairly frequently the numerous risks inherent in the new remote work paradigm. But cousin to this state of affairs is how a new “gig economy” work pattern is also creating risks and forcing companies to reshape data protection strategies. As an ad-hoc kind of policy, organizations are increasing the threat surface by hiring short term workers as needed.
Different than normal contractors, they use “their own laptops and their own collaboration tools, and they’re going to take your data, and perhaps put it in their storage,” says James Christiansen, VP of information risk management at Netskope. His story about a freelancer who outsourced his own coding work to a secondary organization, which gave them unauthorized access to data from the company he himself worked for, gave our own team a pretty big shock when we heard it. For an enterprise’s critical data and intellectual property to fall outside the known scope of security parameters, without their knowledge, is as major a vulnerability as you can conceive.
Even less extreme examples can prove troublesome. Since gig workers are operating outside the organization’s security parameters, their chance of becoming an attack vector via a phishing campaign, for instance, is enhanced. People working under this umbrella are already well established as potential security risks, often described as one of the weakest links. With companies evolving their work structure to fit current times, managerial oversight becomes both more complicated and more crucial. All it takes is one person clicking on an email link they shouldn’t (or, evidently, secretly pass off their work to ambiguously positioned groups) for the whole enterprise to be compromised. That isn’t new, but these days, who can be sure where or even who that person may be?
Solving this issue requires companies shoring up these newest weak spots in their defenses. Clear contractual obligations for gig workers should be devised, including guidelines about protecting data, restrictions on certain types of action, device monitoring, breach notification procedures, and liabilities and costs for breaching protocol. Without established standards, there is less incentive for a one-time gig worker to take their employer’s security seriously.
The nature of the gig worker, of course, implies that they won’t be with the company for long, which necessitates the creation of a process to smoothly and safely transition them out. “What are your expectations around deleting data, returning data, archiving data and so on?” Christiansen poses. “Make sure that exit strategy has been thought through, and they’ve agreed to it, and make sure you follow through on it at the end.”
So much data is on the move these days, leaving the premises, that the challenge is keeping it secure no matter the location. Organizations must revise their existing policies to account for this evolution in movement, or risk getting compromised by someone who worked for them for a weekend.