Think cyber security before boarding the gig economy express
CyberArk's David Higgins explores the cyber risks of hiring independent contractors
The ‘gig’ economy is said to be many things, even being hailed as the saviour of the UK public sector. It is depicted in some quarters as symptomatic of the decline in the traditional nine-to-five day - typically characterised by a stable income and a pension - to the jet fuel powering the new world economy. Increasing connectivity is making picking up a ‘gig’ as easy as making dinner plans with a friend or finding a date. All this is altering the way that people view and perform work. In the UK, the gig economy now accounts for more than 4.7 million workers–and employs 1 in 10 working-age adults.
It’s not just changing the workforce picture for high-profile gig economy firms such as Uber and Deliveroo that are poster children for the movement. The UK public sector now comprises of a mix of full-time, part-time and short-term workers in an attempt to be more agile, cost-effective, and able to adapt to changing citizen priorities and departmental needs in a technology-led environment.
Mind the security gap
Owing to this increasing trend of organisations hiring independent contractors instead of full-time workers and paying them for each individual ‘gig’ they do, IT contracting has become a very common gig economy role, with the recent suspension (and possible scrapping) of IR35 due to the COVID-19 crisis extending this trend.
This is for good reason and is in line with how both public and private sector organisations approach IT in general. Being able to deploy more or less IT expertise as situations demand is akin to best practice usage of cloud services. It’s quick, it’s flexible, and it meets changing needs.
One thing that it is not, though, is inherently secure. The risk model has shifted from a model built around controlled environments, i.e. the IT network. The perimeter – the first line of defence – was a known quantity and yes, it had holes, but generally IT security teams were aware of where the weak points were. Now, the perimeter is at best distributed, and at worst non-existent. Put bluntly, the risk is that organisations can no longer enforce security on the end device, as they may have no jurisdiction or control over it.
IT workers perform some of the more crucial roles in 21st century organisations, because every area of the public sector relies on information and technology in order to function, as we’re seeing during the current coronavirus crisis. Large quantities of critical data and at least a few critical assets are necessary aspects of the services provided to citizens by most departments. It’s therefore common that permanent IT workers are subject to strict security oversight. However, when these roles are performed by remote third parties, short-term contractors or otherwise not by permanent, trusted staff that are office-based, security must also adapt.
The ticket to successful security
As flexible workers plug into an organisation’s network and access sensitive systems from outside the physical perimeter of the office, organisations need to ensure they have strict security protocols in place to properly mitigate the elevated risk that this entails. They also need to restrict the access of contractors to only what they need, instead of trusting them with sweeping access to everything. Risk factors include accessing networks from personal devices that lack enterprise-grade security, or from home networks that could be easily compromised.
In this scenario we are far away from a world where security teams are able to enforce policy on devices within the traditional network. Now, often they will have no control at all over the device being used by the external party to connect in and, similarly, not being able to ensure the security of the location where the device is connecting from; for instance a home WiFi network.
According to our previous research, 90 percent of organisations (250 users plus, right up to the largest organisations) allow third party vendors access to their critical systems and 72 percent put third party access in their top 10 security risks. So the problem is widespread and the risk is broadly understood. However, it is not being acted upon. The majority of organisations use approaches that are just not designed for efficiency, and don’t consistently apply corporate security policies across on-premises and cloud resources. Any solution for third party privileged access must provide basic security best practices that mirror established policies for internal workers.
Additionally, advances in technology mean the shortcomings of outdated technologies –like VPNs – to secure remote workers can now be overcome with relative ease. Usage of biometrics and Zero Trust policies should be employed to reliably authenticate remote vendor access to the most sensitive parts of the network. This can be done with the flexibility and ease-of-use that modern remote workers need by using the remote workers’ own mobile devices for biometric and multifactor authentication.
In the gig economy environment, where endpoint devices have disparate levels of security and the office environment can be a café, car, or home office, cyber security needs to match the flexibility of modern working. The place where organisations can reliably enforce policy is at the point of connection and the access that they require into systems. This needs to be recognised and implemented.
Reports on progress of big transformation and infrastructure programmes are patchy and often lacking in detail, according to PAC
Office of Financial Sanctions Implementation invests in technology tool
Audit body points to data challenges stemming from both leaders and the wider workforce
Statistics agency looks to build on the rollout of the UK’s first-ever digital census last year