CyberArk Vice President of Solution Engineer, APJ Jeffrey Kok says in the gig economy, users’ devices have disparate levels of security therefore cyber security must match the flexibility needs of remote workers.
By Jeffrey Kok
The rise of the gig economy has been viewed in many ways. In some areas it is symptomatic of the decline of the traditional nine-to-five work day in an office. In others, it is seen as the jet fuel powering the new world economy.
Improvements in connectivity are making picking up a gig as simple as ordering groceries or finding a date, and this is altering the way that people approach work. In 2019, Singapore’s Ministry of Manpower reported that 196,000 residents were self employed, without employing any paid employees, accounting for 8.8 percent of the entire workforce.
The gig economy is not just changing the workforce picture for high-profile firms, such as Grab and Deliveroo. Even traditional companies are now comprised of a mix of full-time, part-time and temporary contract workers. This is helping all companies remain nimble and manage costs in a fast-paced, technology-enabled market.
The hiring of IT department contractors is a natural outcome of the development of the gig economy. The MOM’s report of the labour force last year reported that 5,700 of self-employed workers provided information and communications services.
This is in line with how modern enterprises approach IT in general. Deploying more or less IT expertise, as situations demand, is akin to the best-practice usage of cloud services: the speed and flexibility meet the changing needs of the business.
However, this approach to hiring workers is not as inherently secure as cloud services because the risk model has shifted. Before, IT departments managed a model built around controlled environments (i.e. corporate networks). The perimeter, or the first line of defence, was a known quantity that gave IT departments a general awareness of its weak points. Now, the perimeter is distributed, at best, and non-existent, at its worst, which removes the ability for companies to enforce security on end devices.
Additionally, IT workers perform many of the more crucial tasks because of the extent to which businesses rely on data and technology to operate. Large quantities of critical data, and some assets, are also stored and managed for businesses to serve customers, meet manufacturing deadlines, and other crucial processes. Permanent IT department employees are commonly tasked with this oversight; however, in more and more situations, remote, third parties or contractors are performing these roles and security practices must adapt.
As contract workers access networks and sensitive company systems virtually, strict security protocols need to be in place to mitigate the elevated risk of this access. Companies should also restrict the contractors’ access to what they need. With workers accessing networks from personal devices that lack enterprise-grade security, or from networks that could be easily compromised, security teams now have no control over the security of the network.
According to our previous research, 90 percent of organisations with 250 or more users allow third-party vendors to access their critical systems. Seventy-two percent also consider third-party access as one of their top 10 security risks. This shows not just how common it is to provide this level of access, but also how well the risk is understood.
The problem is that companies are not acting on this knowledge, and current approaches are not designed for efficiency, or consistently applied across on-premises and cloud environments. Solutions for third-party privileged access to company systems must provide basic security best practices that align with established policies for internal employees.
Advances in technology highlight the shortcomings of existing technologies, such as VPNs, to secure remote workers, and can be used with relative ease to overcome these limitations. Biometrics and zero trust policies should be employed to authenticate remote access to the most sensitive parts of the corporate network. These forms of authentication deliver the flexibility and ease-of-use that modern remote workers need by using the remote workers’ own devices.
In the gig economy, where contractors’ endpoint devices have disparate levels of security and the office can be anywhere, organisations’ cyber security needs to match the flexibility of modern working. Policies that are made and enforced at the point of connection, and provide only required access, can help organisations take control of cyber security.
(Ed. Jeffrey Kok says he is responsible for managing the entire presales lifecycle at CyberArk. Kok has over 17 years’ experience in the cyber security industry, serving in organisations including RSA, Cisco Systems, Nera Telecommunications and the National University of Singapore. Kok holds a Bachelor of Applied Science in Computer Engineering from the Nanyang Technological University and CISSP certification. Featured image by Photographer Andrea Piacquadio.)