Rather than taking on a full-time job, and organisations consciously contract independent workers for short-term engagements and temporary projects.
Which is the unfortunate side of today's shortsighted attitude to business needs, effectively building the future economy on sand.
Nevertheless this is where we are and what organisations see as the way ahead.
In the UK, the gig economy now accounts for more than 4.7 million workers – and employs 1 in 10 working-age adults. All this is altering the way that people view and perform work.
And it’s not just transforming the workforce picture for high-profile gig economy firms such as Uber and Deliveroo that are poster children for the movement. Even conventional retail and corporate powerhouses now comprise of a mix of full-time, part-time and short-term workers to ensure they can remain agile, cost-effective, and able to adapt to changing market conditions in a fast-paced, technology-led environment.
Who do you trust?
Owing to this increasing trend of companies hiring independent contractors and freelancers instead of full-time employees and paying them for each individual ‘gig’ they do, IT contracting is becoming a very common gig economy role.
That said, the IT industry has being offering short-term contracts for many years in a huge range of industries.
Being able to deploy more or less IT expertise as situations demand is akin to best practice usage of cloud services. It’s quick, it’s flexible, and it meets the changing needs of the business.
Additionally, IT workers perform some of the more crucial roles in 21st century organisations, because every business relies on information and technology in some shape or form to function, as we’re seeing during the current coronavirus crisis. It’s assumed that large quantities of critical data and at least a few critical assets will need to be stored and managed for most business to serve customers, meet manufacturing deadlines, and more.
One thing this business model is not, however, is inherently secure. The risk model has shifted from a model built around controlled environments, i.e. corporate networks. The perimeter – the first line of defence – was a known quantity and yes, it had holes, but generally IT departments were aware of where their weak points were. Now, the perimeter is at best distributed, and at worst non-existent. Frankly, the risk is that companies can no longer enforce security on the end device, as they may have no jurisdiction or control over it.
It’s therefore common that permanent IT employees are subject to strict security oversight. However, when these roles are performed by remote third parties, short-term contractors or otherwise not by permanent, trusted staff that are office-based, the risk is further exacerbated.
Which comes back to the short-sighted attitude I mentioned earlier, employers have to an enormous amount of trust in temporary employees who have no vested interest in the organisation.
The risk to the security of confidential data and credentials goes hand-in-hand with compliance risks. A breach, regardless of whether it took place outside the physical parameters of the office, can lead to large fines levied on an organisation – especially under the General Data Protection Regulation (GDPR). Such breaches can also negatively affect business continuity as well as the reputation of an organisation.
At a time where businesses are under immense pressure to stay afloat amidst the global coronavirus pandemic, the aforementioned risks may even cause irreversible damage in some cases.
Batten down the hatches
As flexible workers plug into an organisation’s network and access critical company networks from outside the physical boundaries of the office, organisations need to ensure they have stringent security measures in place to better manage the high risk that this entails. They also limit the access of contractors to only what they need, instead of trusting them with sweeping access to everything.
It is all too easy to grant too much access so that they won't keep bothering the company with request various levels of access to perform their duties effectively.
Risk factors include accessing networks from personal devices that lack enterprise-grade security, or from home networks that could be easily compromised. These risk factors are further amplified as much of the global workforce - full-time and flexible workers alike - are working from home during this Covid-19 crisis.
In this scenario, we are a long away from a world where security teams can implement policy on devices within the conventional network. Now, often they will have no control at all over the device being used by the external party to connect in and, similarly, not be able to ensure the security of the location where the device is connecting from; for instance a home WiFi network.
According to our previous research, 90 per cent of organisations allow third party vendors access to their critical systems and 72 per cent put third party access in their top 10 security risks. As apparent, the problem is widespread, and the risk is broadly understood. However, it is not being acted upon. The majority of organisations use approaches that are just not optimised for efficiency, and don’t consistently apply corporate security policies across on-premises and cloud resources. Any solution for third party privileged access must have basic security best practices that mirror established policies for internal workers.
Embrace security solutions
In fact, technological advancements mean that the shortcomings of obsolete technologies – such as VPNs – to secure remote workers can now be resolved with relative ease. The use of biometrics and Zero Trust policies can be employed to securely authenticate remote vendor access to the most sensitive parts of the corporate network. This can be done with the flexibility and ease-of-use that modern remote employees need by using the remote workers’ own mobile devices for biometric and multifactor authentication.
In the gig economy environment, where endpoint devices have varying levels of security and the workplace can be a café, car or home office, cybersecurity needs to match the versatility of modern working. The position where organisations can effectively implement robust security policy is at the point of connection, where third parties gain the access that they require into systems. This needs to be recognised and implemented.
Putting the time and effort it takes to plan the infrastructure of rights and privileges offered to 3rd parties access to your network is crucial.
In an ideal world employing full-time IT security professionals means the ability to develop trust and loyalty which does not have a short-term pound value.
Knowing their technical backgrounds and more importantly their capabilities when a cyber attack occurs cannot be underestimated. But then you could rely on a relatively unknown 3rd party to save your business from disaster, probably.
The long term benefits far outweigh the short-term thriftiness and shortsighted attitudes of too many organisations, but in today's cut throat economy there may be simply no choice.