Think cyber security before boarding the gig economy express

Written by CyberArk on 26 May 2020 in Sponsored Article
Sponsored Article

CyberArk's David Higgins explores the cyber risks of hiring independent contractors

The ‘gig’ economy is said to be many things, even being hailed as the saviour of the UK public sector. It is depicted in some quarters as symptomatic of the decline in the traditional nine-to-five day - typically characterised by a stable income and a pension - to the jet fuel powering the new world economy. Increasing connectivity is making picking up a ‘gig’ as easy as making dinner plans with a friend or finding a date. All this is altering the way that people view and perform work. In the UK, the gig economy now accounts for  more than 4.7 million workersand employs 1 in 10 working-age adults.

It’s not just changing the workforce picture for high-profile gig economy firms such as Uber and Deliveroo that are poster children for the movement. The UK public sector now comprises of a mix of full-time, part-time and short-term workers in an attempt to be more agile, cost-effective, and able to adapt to changing citizen priorities and departmental needs in a technology-led environment.

Mind the security gap

Owing to this increasing trend of organisations hiring independent contractors instead of full-time workers and paying them for each individual ‘gig’ they do, IT contracting has become a very common gig economy role, with the recent suspension (and possible scrapping) of IR35 due to the COVID-19 crisis extending this trend.

This is for good reason and is in line with how both public and private sector organisations approach IT in general. Being able to deploy more or less IT expertise as situations demand is akin to best practice usage of cloud services. It’s quick, it’s flexible, and it meets changing needs.

One thing that it is not, though, is inherently secure. The risk model has shifted from a model built around controlled environments, i.e. the IT network. The perimeter – the first line of defence – was a known quantity and yes, it had holes, but generally IT security teams were aware of where the weak points were. Now, the perimeter is at best distributed, and at worst non-existent. Put bluntly, the risk is that organisations can no longer enforce security on the end device, as they may have no jurisdiction or control over it.

IT workers perform some of the more crucial roles in 21st century organisations, because every area of the public sector relies on information and technology in order to function, as we’re seeing during the current coronavirus crisis. Large quantities of critical data and at least a few critical assets are necessary aspects of the services provided to citizens by most departments. It’s therefore common that permanent IT workers are subject to strict security oversight. However, when these roles are performed by remote third parties, short-term contractors or otherwise not by permanent, trusted staff that are  office-based, security must also adapt.

The ticket to successful security

As flexible workers plug into an organisation’s network and access sensitive systems from outside the physical perimeter of the office, organisations need to ensure they have strict security protocols in place to properly mitigate the elevated risk that this entails. They also need to restrict the access of contractors to only what they need, instead of trusting them with sweeping access to everything. Risk factors include accessing networks from personal devices that lack enterprise-grade security, or from home networks that could be easily compromised. 

In this scenario we are far away from a world where security teams are able to enforce policy on devices within the traditional network. Now, often they will have no control at all over the device being used by the external party to connect in and, similarly, not being able to ensure the security of the location where the device is connecting from; for instance a home WiFi network.

According to our previous research, 90 percent of organisations (250 users plus, right up to the largest organisations) allow third party vendors access to their critical systems and 72 percent put third party access in their top 10 security risks. So the problem is widespread and the risk is broadly understood. However, it is not being acted upon. The majority of organisations use approaches that are just not designed for efficiency, and don’t consistently apply corporate security policies across on-premises and cloud resources. Any solution for third party privileged access must provide basic security best practices that mirror established policies for internal workers.

Additionally, advances in technology mean the shortcomings of outdated technologies –like VPNs – to secure remote workers can now be overcome with relative ease. Usage of biometrics and Zero Trust policies should be employed to reliably authenticate remote vendor access to the most sensitive parts of the network. This can be done with the flexibility and ease-of-use that modern remote workers need by using the remote workers’ own mobile devices for biometric and multifactor authentication.

In the gig economy environment, where endpoint devices have disparate levels of security and the office environment can be a café, car, or home office, cyber security needs to match the flexibility of modern working. The place where organisations can reliably enforce policy is at the point of connection and the access that they require into systems. This needs to be recognised and implemented.

David Higgins is EMEA Technical Director at CyberArk

Share this page



Related Articles

ONS seeks new data source on UK firms’ overseas owners
24 May 2023

Statistics agency looks to establish a single unified partnership

CCS defends Digital Marketplace closure and pledges to ‘reinstate transparency’
3 May 2023

Suppliers and former officials have lamented the decision but procurement agency claims outgoing platform could no longer ‘accommodate growing demands’

Report warns on £1.5bn extra customer costs for Making Tax Digital and millions of records on HMRC legacy systems
12 June 2023

National Audit Office says that tax agency needs to prepare a new business case or risk further ‘undermined credibility’ for major programme

Sunak and Biden agree transatlantic data bridge
12 June 2023

Leaders announced agreed-in-principle initiative as part of trade partnership

Related Sponsored Articles

Proactive defence: A new take on cyber security
16 May 2023

The traditional reactive approach to cybersecurity, which involves responding to attacks after they have occurred, is no longer sufficient. Murielle Gonzalez reports on a webinar looking at...