Gold standard cyber security in the ‘gig economy’

With enterprises increasingly reliant on third-party freelancers for certain critical IT skills, the need to secure their businesses from being compromised by remote access is growing exponentially.

Johannesburg, 09 Apr 2020
Read time 5min 20sec
David Higgins, EMEA Technical Director, CyberArk.
David Higgins, EMEA Technical Director, CyberArk.

The ‘gig economy’ is described as many things. On the one extreme, it is depicted as symptomatic of the decline in the traditional nine-to-five day job with a stable income, while on the other, it is viewed as the jet fuel powering the new world economy. 

This new economy is driven by the increasing trend whereby companies hire independent contractors and freelancers, instead of full-time employees, paying them for each individual ‘gig’ they do.

It certainly holds a lot of promise for this continent, and has in fact been dubbed ‘the future of work in Africa’ by the Centre for Global Development, mainly due to the fact that the vast majority of the continent’s workforce are self-employed and freelancers.

As with elsewhere on the continent, this approach also holds true for South Africa, as despite an unemployment rate that remains in the doldrums, analysts suggest the gig economy can play a big role in alleviating the problem of joblessness in the country.

While the typical gig economy worker is usually, as an example, described as a part-time Uber or Deliveroo driver, the fact is that IT contracting is a very common gig economy role. In fact, even traditional retail and corporate powerhouses now comprise a mix of full-time, part-time and short-term workers. This ensures they can remain nimble, cost-effective, and able to adapt to changing market conditions in a fast-paced, technology-led environment.

It is unsurprising that a large portion of the gig economy is dedicated to IT, since it is in line with how modern enterprises approach IT in general. Being able to deploy more or less IT expertise as the situation demands is akin to usage of cloud services. It’s quick, it’s flexible, and it meets the changing needs of the business.

One thing that it is not, though, is inherently secure. The risk model has shifted from a model built around controlled environments; ie, corporate networks.The perimeter – the first line of defence – was a known quantity and yes, it had holes, but generally IT departments were aware of where the weak points were. Now, the perimeter is at best distributed, and at worst non-existent. Put bluntly, the risk is that companies can no longer enforce security on the end device, as they may have no jurisdiction or control over it.

The challenge arises because IT workers perform some of the more crucial roles in 21st century organisations, since every business relies on information and technology in order to function. It’s assumed that large quantities of critical data, and at least a few critical assets, will need to be stored and managed in order for the business to serve customers, meet manufacturing deadlines and more. Therefore, it is common that IT employees are subject to strict security oversight.

However, when these roles are performed by remote third-parties, short-term contractors or otherwise not by permanent, trusted staff that are office-based, security simply has to adapt to this new way of working. After all, as flexible workers plug into an organisation’s network and access sensitive company systems from outside the physical perimeter of the office, these organisations need to ensure they have strict security protocols in place to mitigate the elevated risk that this entails.

They also need to ensure that remote gig workers are only accessing what they need to, instead of trusting them with sweeping access to everything. Risk factors include accessing networks from personal devices that lack enterprise-grade security, or from home networks that could be easily compromised. In this scenario we are far away from a world where security teams are able to enforce policy on devices within the traditional network. Now, often they will have no control at all over the device being used by the external party to connect in and, similarly, not being able to ensure the security of the location where the device is connecting from; for instance, a home WiFi network.

According to CyberArk global research, 90% of enterprises allow third-party vendors access to their critical systems and 72% put third-party access in their top 10 security risks. This indicates the problem is widespread and the risk is understood.

The real issue, then, is whether it is acted upon. If not, gig economy workers put themselves and their employers at risk of data breaches, leaks of confidential information and more. However, recent advances in technology mean the shortcomings of older ones – like virtual private networks (VPNs) – in securing remote workers can now be overcome.

Some of the ways to do this include using biometrics, Zero Trust and just-in-time provisioning, all of which can and should be employed to reliably authenticate remote vendor access to the most sensitive parts of the corporate network. In the gig economy environment, where endpoint devices have disparate levels of security and the office environment can be a café, car or home office, it is clear that cyber security needs to match the flexibility of modern working. The place where organisations can reliably enforce policy is at the point of connection and the access that they require into systems. This needs to be recognised and implemented.

Technology is ultimately the glue that holds the gig economy together, building platforms that enable the agile and flexible matching of supply and demand, and the analytics to optimise it all. It connects freelancers with their clients and businesses with the skills they need. It is obvious that remote working is only going to continue to grow – possibly spurred to new heights by the COVID-19 lockdown – which means it is imperative that organisations considering making use of the gig economy tighten up and improve their security sooner, rather than later.