Security and the Gig Economy

The RSA Conference 2021 Virtual Experience is happening May 17-20 and Symantec, as a division of Broadcom, will be providing a summary of some of the leading stories from the conference to help you stay informed.

Over the last few years, the rise of the gig economy – the trend of workers doing jobs as independent contractors who bring their skills to potentially multiple companies at a single time and often work remotely – has created one of the biggest changes in the working environment since the advent of the 40-hour work week. 

And this change is more than burying the old-school practice of working at the same company for 30 years and retiring with a pension. Today, it’s not uncommon at all for workers to light out for greener pastures after only a few months with an organization. Staying at a company for two, three or even four years might qualify someone as the proverbial “Old Timer” around the job place.

This change in attitudes, culture and types of work with the gig economy has also forced many companies to reassess how they approach their network security. Dealing with employees who may never go into the office presents organizations with having to employ new security strategies to ensure that these gig workers, who may be necessary, are also managed properly in order to reduce the risk they pose to a business’ network infrastructure.

That was the topic of a presentation at the RSA Conference 2021 on Monday entitled “The Risk You Never Knew Existed: Security and the Gig Economy,” from James Christiansen, vice president and chief security officer at cloud security technology company Netskope. Christiansen said the increase in gig workers has created an environment where companies have to employ new strategies and tactics that will allow them to benefit from the use of gig workers, yet also reduce the chances that those often-temporary employees could wreak havoc on a network environment.

Christiansen said companies need to look at a “grand strategy” for gig economy protection. This includes a strategy of employing risk analysis, reducing a potential attack surface and understanding the best-practice controls to put in place. As part of this strategy, Christiansen said organizations need to use tactics involving technologies, processes and their own people to beef up security measures across their networks

According to Christiansen, the reasons for these approaches are simple. Gig workers often use their own personal computers, which may or may not be as secure as those of traditional workers, and they may be using their work time to compile sensitive information about a corporate network. Also, with short-term contract workers, background checks for those involved with sensitive information are often overlooked. By the time a company gets around to running a background check on a gig worker, that person could already be out the door after purposely or inadvertently causing mayhem on a network system. Or, they may have even left with pilfered information in hand.

Among the steps Christiansen said companies need to take with regards to gig workers and security are to do a risk assessment of a network and use those results to build a new protection plan. And that plan should be a three-pronged effort that involves the following controls:

• Administrative. This would include clear directions from the executive team on the appropriate use of gig workers and requirements for legal agreements with gig workers.
   
• Process. These involve improved training of newly hired gig workers, safeguards that are implemented to prevent the bypassing of vendor management and an awareness of the risks surrounding the use of gig workers.
   
• Technical. These would include practices such as watching when a worker comes online and then goes back offline, encrypting dates that requires authorization at the time it is used, and putting roadmaps in place for assessing risks and what to do when security issues occur with gig workers.

Christiansen said it helps to keep in mind that the gig economy is here to stay. And while the gig economy and the gig worker present new insider threats, this is also a good time to embrace the situation and look at ways to improve your organization’s overall security strategy.