Although its name might suggest something musical, the ‘gig’ economy doesn’t actually refer to bands performing at gigs. It encompasses the increasing economic trend for professionals to take on a series of temporary work positions, rather than taking on a full-time job, and organisations consciously contract independent workers for short-term engagements and temporary projects.
In the UK, the gig economy now accounts for more than 4.7 million workers – and employs 1 in 10 working-age adults. Increasing connectivity is making picking up a ‘gig’ as easy as making dinner plans with a friend or finding a date. All this is altering the way that people view and perform work.
And it’s not just transforming the workforce picture for high-profile gig economy firms such as Uber and Deliveroo that are poster children for the movement. Even conventional retail and corporate powerhouses now comprise of a mix of full-time, part-time and short-term workers to ensure they can remain agile, cost-effective, and able to adapt to changing market conditions in a fast-paced, technology-led environment.
Gaps in security: the prologue
Owing to this increasing trend of companies hiring independent contractors and freelancers instead of full-time employees and paying them for each individual ‘gig’ they do, IT contracting is becoming a very common gig economy role. The recent suspension of IR35 due to the Covid-19 crisis has further extended this trend.
This is for good reason and aligns with how modern enterprises approach IT in general. Being able to deploy more or less IT expertise as situations demand is akin to best practice usage of cloud services. It’s quick, it’s flexible, and it meets the changing needs of the business.
Additionally, IT workers perform some of the more crucial roles in 21st century organisations, because every business relies on information and technology in some shape or form to function, as we’re seeing during the current coronavirus crisis. It’s assumed that large quantities of critical data and at least a few critical assets will need to be stored and managed for most business to serve customers, meet manufacturing deadlines, and more.
One thing this business model is not, however, is inherently secure. The risk model has shifted from a model built around controlled environments, i.e. corporate networks. The perimeter – the first line of defence – was a known quantity and yes, it had holes, but generally IT departments were aware of where their weak points were. Now, the perimeter is at best distributed, and at worst non-existent. Put bluntly, the risk is that companies can no longer enforce security on the end device, as they may have no jurisdiction or control over it.
It’s therefore common that permanent IT employees are subject to strict security oversight. However, when these roles are performed by remote third parties, short-term contractors or otherwise not by permanent, trusted staff that are office-based, the risk is further exacerbated.
The risk to the security of confidential data and credentials goes hand-in-hand with compliance risks. A breach, regardless of whether it took place outside the physical parameters of the office, can lead to large fines levied on an organisation – especially under the General Data Protection Regulation (GDPR). Such breaches can also negatively affect business continuity as well as the reputation of an organisation.
At a time where businesses are under immense pressure to stay afloat amidst the global coronavirus pandemic, the aforementioned risks may even cause irreversible damage in some cases.
Ensuring show-stopping cybersecurity.
As flexible workers plug into an organisation’s network and access critical company networks from outside the physical boundaries of the office, organisations need to ensure they have stringent security measures in place to better manage the high risk that this entails. They also limit the access of contractors to only what they need, instead of trusting them with sweeping access to everything.
Risk factors include accessing networks from personal devices that lack enterprise-grade security, or from home networks that could be easily compromised. These risk factors are further amplified as much of the global workforce - full-time and flexible workers alike - are working from home during this Covid-19 crisis.
In this scenario, we are a long away from a world where security teams can implement policy on devices within the conventional network. Now, often they will have no control at all over the device being used by the external party to connect in and, similarly, not be able to ensure the security of the location where the device is connecting from; for instance a home WiFi network.
According to our previous research, 90 per cent of organisations allow third party vendors access to their critical systems and 72 per cent put third party access in their top 10 security risks. As apparent, the problem is widespread, and the risk is broadly understood. However, it is not being acted upon. The majority of organisations use approaches that are just not optimised for efficiency, and don’t consistently apply corporate security policies across on-premises and cloud resources. Any solution for third party privileged access must have basic security best practices that mirror established policies for internal workers.
In fact, technological advancements mean that the shortcomings of obsolete technologies – such as VPNs – to secure remote workers can now be resolved with relative ease. The use of biometrics and Zero Trust policies can be employed to securely authenticate remote vendor access to the most sensitive parts of the corporate network. This can be done with the flexibility and ease-of-use that modern remote employees need by using the remote workers’ own mobile devices for biometric and multifactor authentication.
In the gig economy environment, where endpoint devices have varying levels of security and the workplace can be a café, car or home office, cybersecurity needs to match the versatility of modern working. The position where organisations can effectively implement robust security policy is at the point of connection, where third parties gain the access that they require into systems. This needs to be recognised and implemented.
David Higgins, EMEA Technical Director, CyberArk