Gig workers are here to stay, but they might pose a hidden cybersecurity risk
Whether intentional or not, gig workers can cause security breaches. Here’s how to set your company up for safety.
TechRepublic’s Karen Roby spoke with James Christiansen, VP and CSO of Netskope, about cybersecurity concerns with the gig workforce. The following is an edited transcript of their conversation.
Karen Roby: We talk about the gig workforce. We’re seeing so many people working in such a different way now. The problem with that is cybersecurity becomes a big issue. Let’s talk a little bit about how big of an issue this is because, I mean, again, the gig workforce is just growing exponentially.
SEE: IT expense reimbursement policy (TechRepublic Premium)
James Christiansen: It’s crazy, Karen. Actually, that’s what got me really interested in this subject was the first time I looked at some of the stats, they were unbelievable. I mean, 52% of the participants are from the pandemic. So as people lost their jobs, they went to the gig workforce. What absolutely was stunning to me when I looked at, greater than 90% of the U.S. People polled said they would do a gig job.
Well, that really has two pieces to it. It means that if they’re gig worker like, let’s say, you’ve got Uber workers working for Lyft, direct competitors at the same time, that’s one thing. But when you get into the tech world and you have, maybe your employee is doing a gig, unbeknownst is going to go to a competitor. These stats are just shocking when I saw 90%, that means somebody I’m working with, the stats will say, is doing a gig job on the side. We’ve always had side jobs, but never where the data was so prevalent and could be leaked out to industrial espionage, sensitive data.
We’ll go through, I think, probably some of the examples of the type of people. But it’s that stat, 90%, it’s 3X growth, 300% growth in this area. So, as you said, it is exploding. Half the Millennials use gig jobs, yeah.
Karen Roby: Yeah, significant numbers there really when you think about it, James. The problems that that can pose, again, as far as connectivity and security, and I mean, people are vulnerable, therefore their companies are vulnerable.
James Christiansen: Absolutely, yeah. It’s the problem, of course. We’ve dealt with contractors for a long time. We’ve hired contractors. I even used to work for a contracting company. But that company, I was a full-time employee of, and they made sure I had background checks, I had a secure laptop that I worked from. They would make sure I never worked in a competitor space. Well, these are freelance workers. The gig economy is about freelance workers. As these freelance workers go from gig to gig, that data can accidentally …
I mean, when you look at the insider threat, because that’s what we’re talking about is that new insider threat. In fact, it would be the most difficult one in all my over 25 years that I will have faced because it’s even more difficult than normal insider because of the monitoring aspect. How do I detect them? They can be in so many different roles. I mean, you can have an application developer. I’ve got a great example of a real live case where a developer was doing a gig work. It was actually a funny case. But they could be market analysis, they’re coming in to do pricing analysis for you.
SEE: Juggling remote work with kids’ education is a mammoth task. Here’s how employers can help (free PDF) (TechRepublic)
Well, you give them all your sensitive data, you might give them your top sells men’s names. You might give them how much commissions they’re earning to do their analysis. Well, that data, then when they’re finished with it, how do you know if it gets deleted? How do you know they might accidentally … Like I said, there’s the malicious insider, but then the non-malicious where they just accidentally do something that discloses the data. In fact, that’s probably more prevalent than the malicious insider.
But there’s all these different power workers. I’ve done a number of investigations, cybersecurity, legal investigations, and we’ll bring in external legal counsel helping crunch the data. That’s very sensitive data that after that gig is done could actually be leaked out. So this is why it’s so shocking, and it’s why we absolutely need to talk about it more. I even turned to my global network and said, hey, what do you think about this? What are the best ways of mitigating these risks that we’ve got?
Karen Roby: That leads me to my next obvious question. We know what the problem is. We know that it’s prevalent. So, what do we do about it?
James Christiansen: Well it’s really, first, I think understanding, what are the gig worker attributes? They are going to be here typically short-term, they’re not usually long-term contracts. In fact, some of the normal things we would do is background checks. Well, as you start to think about what do you do, well, how do you do a background check on somebody? It takes two weeks to get a background check done, and they’re only going to be here two weeks.
James Christiansen: It’s really, first, starts with understanding the culture of your company. One of the things that’s always absolutely essential as a successful chief security officer is understanding the culture. Well, in this case, I think we’ve got to start with educating the key executives. What is the gig worker? Why do they pose this threat they do? What kind of threats? And then we can talk about how to mitigate those things. My first suggestion is you’ve got to have a policy within your company about, hey, do we hire gig workers or not? Do we want to stay with more traditional contractors or not?
SEE: Virtual events don’t have to be tiresome: Okta came up with a new way (TechRepublic)
Now, my recommendation for everybody’s lean into it. It is absolutely going to be part of our economy. If you try to fight, it will be like trying to fight cloud. But if you lean into it, then you can say, “Well, let’s get the right things in place. Let’s talk about where and when we use gig workers.” So, you can educate your hiring managers when it’s appropriate to use them. We talked about administrative controls. So there’s three different kinds of controls I would talk about.
First, sets administrative. Giving guidance to your organization about how to use freelance-type help when it’s appropriate, when it’s not. Here’s the things, if you’re going to use them, you should do, so that first set of policies. Then talk about your vendor management policies. You still need to make sure they get a contract in place that has all the liabilities. Here’s something required by law for most industry sectors is breach notification. So, if by chance that gig worker should breach your data, you want to make sure they’re obligated to notify you because that’s absolutely required, so you can do notification investigation.
But if you don’t have that in the contract basis, of course, it becomes that increasing threat. You can find yourself on the wrong time of regular reaction. Then we’re going to talk about new-hire training. Make sure you’ve got it in that new hire … they get the gig worker. Maybe it’s a really skinnied down version, but they are actually educated on your practices, your policies. That awareness training we do with our employees is still really important.
Now, you may even require they use your machine. Now, that’s typical of a contractor, and we’re distinguishing a contractor from a freelancer. Often these are such short engagement, they’re using their own machine. Ensure you can put in there, you have to have these policies, these things. There is automation you can put in there. When they log in to your network, you can actually check their machine to see if it actually does have virus control encryption, some of those things. So that’s more of the technical layer of controls.
SEE: Nearly half of 2020 college grads still haven’t found work (TechRepublic)
Now, the real key thing here is monitoring for this. How do we know that they are engaged in a gig contract? Because one of the key things that really bothers me is most of the time thinking about this, we’re thinking about, OK, I just hired somebody in to do maybe some marketing work or some programming. That’s the one edge of the gig. The other edge is just the most scary is, it could be one of your fellow employees that’s doing a gig assignment. Now they probably don’t intend harm for the companies, they’re full-time employees. But then again, they may just not maliciously link the data. So we have to put these controls in place and monitoring.
Now, the monitoring is the most difficult part because if you used our system, our machine, the same when you used to log in, I absolutely could detect it. But more than likely, the gig user is going to go use a private machine when they’re working on the gig, so therefore I don’t have the monitoring pieces in place. So the best control there is going to be user behavior. What you’ll watch for, and one example is, a normal worker will log in, do a lot of intensive work, and then log out maybe hours later. Well, if you start seeing someone log in, check a few things, then log back out, more likely, they just came to look at that routine they wrote or download something on their machine they’re going to use.
You might spend $100,000 creating a parsing utility for an application code R&D. Well, they need that parsing at the new gig, do you think they’re going to rewrite it? No, they’re going to say, “Well, I did that already. It’s in my toolbox, let me just go get it and I’ll adapt it.” So that’s how these things work. When you think about user behavior analytics, that’s the one place you can start to see differences in behavior of a normal worker, and if this person might be a gig worker. Of course, you’re going to have to restrict the access rules as much as you can. They only have access to the data they want to do that they’re going to use.
Now, depending again on which kind of sector you’re in, so we’ve talked through some of the administrative controls, the technical controls, the detective controls, so now we’re going to think about, well, what other kinds of things I can do? There’s something called virtual desktop, VDI. VDI has been around for a long time. What it does is actually virtualize your whole desktop, so nothing actually gets downloaded. You’ll see it used often in the banking industry where they’re really strict on security. Now, you can implement that to protect yourself on a freelance worker, but the problem is it’s very restrictive. Usually it isn’t a very good interface. While I’ve tried to implement it in a couple of my past roles, it didn’t go over very well.
SEE: 9 ways to make sure you hire the best freelancers for your company (TechRepublic)
The other aspect you can do is call remote browser isolation, where it takes at least that stuff that’s in the browser and isolates it. So, that’s another control where it’s not as restrictive as the VDI, but certainly remote browser isolation is another option. Perhaps one of the best controls you can put in place is digital rights management. What that does is it actually lets you put right in, let’s say you’ve got a PowerPoint, or a Word, or an Excel spreadsheet, you can actually put rights management right on that so that they can open it, but if they try to share it anywhere or it gets out in the loose, it actually can’t be opened because the actual security flows with the document itself.
Again, the only problem there is the used cases. If you go back to my example earlier where it was an application programmer that was leaking code that they had written and used before, that doesn’t work very well in that kind of circumstance.
Karen Roby: James, a lot of things to consider. Some great advice. I think the interesting thing you say, which is really great is just to lean into this because this type of workforce isn’t just going away now that we’re starting to get back to normal. I mean, things are changing and our workforce is changing so quickly. Well, I really appreciate you being here with me today, James.
James Christiansen: It’s something we do need to talk about because it’s that hidden threat that we haven’t really exposed, we haven’t really put the right controls in place. It’s hard to even talk to executive teams about, hey that, you might have workers, the people that you trust might accidentally do something that could harm the company. It’s a cultural change. I mean, that’s the other key thing is, we’re talking about a culture change. When I entered the workforce, you had a lot of loyalty to the company you worked for. At General Motors, people would work there, one job, 30 years.
Karen Roby: Whole life, yeah.
James Christiansen: Now, 18 months, they’re on … there’s no difference between an employee relationship than a contractor when it comes to loyalty, so we can’t rely on that anymore. So, it’s a cultural change that we have to embrace. Like you said, and I said, this is not going away, lean into it, embrace it, understand it, and then let us put the right things in place.