With the rise of ‘quiet quitting’ and a wave of layoffs in the tech sector, companies need to adapt to the changing roles and security expectations around contractors and freelancers.
As Mike Wilson writes for Security Magazine, the next months of 2023 will provide us with more insight into what economic and political climates might have in store for the cybersecurity industry—but threats are still pouring in. Breaches and attacks come from all angles, exacerbated by global events like supply chain issues and unrest in Ukraine. But another situation is also impacting the threat landscape: weak security policies for contractors.
As cybersecurity demands increase, but budgets are slashed and full-time employees are laid off, the niche is being filled by freelancers. Where there are productivity gaps, there will be contractors; many organizations are turning to consultants and external groups for help, but this approach can be risky for an organization’s security.
Organizations need to be aware of risks associated with contractor roles, and take steps to mitigate them:
Unsecured Wifi? No thanks: VPN, please
One of the benefits of being a freelancer is the ability to live quite a mobile life. Contractors aren’t beholden to a daily office sign-in—instead, they are on their own schedules—which might mean they take Zoom calls from coffee shops or access the cloud from a shared workspace or library. All too often, spaces like these entail unsecured Wifi connections. Using an open Wifi network means contractors are opening your company up to an attack vector.
When establishing expectations with a contractor, or signing a contract, it is recommended that you instruct a freelancer to avoid using public Wi-Fi, but if they must use it, to use a VPN to access sensitive corporate resources. Using a VPN is also a good security practice when working from home, as connected devices like smart TVs or baby monitors can introduce vulnerabilities, and other residents could unintentionally download malware on the home network.
If you’re finding that contractors are still using public wifi, consider providing them with a VPN solution to protect your network.
As Little Access As Possible
Companies need to be careful about who has access to their systems and applications. Put simply: external groups, such as freelancers or consultants, should only have access to the specific systems and applications they need to do their work.
However, some departments may grant access to external groups without the knowledge of the IT department. This is called “shadow IT” and is an easy way to create many more vulnerabilities for a company, without letting IT in on any protection plan. To prevent this, companies should educate department heads about the importance of IT managing access permissions for external groups and take steps to mitigate shadow IT.
When a freelancer or consultant is no longer working with the company, their access to systems should be immediately cut off, and companies should periodically audit to ensure that no former contractors still have access. Single sign-on systems can help companies manage access permissions and audit what access employees and consultants have.
Tidy Up Password Hygiene
When it comes to passwords, it’s best to assume that everyone is choosing weak passwords and reusing them constantly—because, unfortunately, the majority of folks are.
Due to widespread password habits and general password reuse (or passwords with only small variations on a root), stolen credentials are one of the main origin points for all kinds of cyber attacks—data breaches, ransomware attacks, and more. The most recent Verizon Data Breach Investigations Report found that over 80% of hacking incidents involved the use of stolen credentials.
Password hygiene, and the enforcing of good habits, are even more complicated when companies are employing contractors, who are technically outside of their domain. Best practice guidelines can only do so much, especially for freelancers who are likely to employ the same password for all their clients, and also more likely to mix personal and professional boundaries.
The most efficient way to combat this issue is to use a credential screening service. Every time the contractor enters their credentials to log into whichever systems or software they are using for your company, you can ensure they haven’t been compromised.
These policies and changes are worth taking the time to invest in. No organization can afford a breach—not the financial impact, not the business downtime, and certainly not the reputational damage. If you’re using contractors for any role, take the time to ensure secure authentication.