Can You Trust That Contractor’s Device? Cybersecurity for the Gig Economy

Author Avatar

by

Posted on May 25, 2022

Freelancing is a very rapidly growing career path. A growing number of individuals have discovered that they enjoy the flexibility and freedom provided by being an independent contractor – and can match or exceed what they would earn in a conventional job. Unlike earlier generations that were leery of an entrepreneurial approach to a career, many Gen Z workers see greater job security in having several clients than in having all of their eggs in the basket of a single employer. Freelance platforms such as UpWork, Fiverr, and Toptal make it easier than ever for freelancers to find clients.

The pandemic has pushed more people to freelancing than ever: 36% of all workers reported they were full-time freelancers in 2020, a 28% increase in one single year.

For employers, the picture is a bit more complex. Agility, cost reduction, quality of service and the ability to draw on people with highly specialized skill sets for particular projects have been driving increased outsourcing to contractors as well as to individual freelancers. Increasing economic uncertainty is likely to further increase outsourcing, as organizations reduce headcount to reduce costs.

Many organizations, however, have discovered only after the fact that effectively managing third-party suppliers requires significant dedicated internal resources. Another factor that is often overlooked – until there’s a problem, that is – is the cybersecurity risk associated with gig workers and third-party contractors.

Cybersecurity Risks from Contractors

Freelancers and third-party contractors often function as extensions of your internal teams, and as such, often need – and are granted – access to your network, software, and cloud apps to get their jobs done.

The catch is that since they are not employees, they typically do not use a company laptop and mobile device, or even personal devices that have been vetted by IT and/or fit out with security controls. It’s a “bring your own device” kind of situation, but a riskier one than organizations face with their employees since security controls cannot be enforced on contractor devices.
If a contractor’s device has been infected with malware, that malware could easily spread to your network, potentially exposing your organization to all kinds of threats, from credential compromise to loss of sensitive information to ransomware.

What About WAFs?

Web application firewalls (WAFs) are the classic answer for this issue. “Classic,” in this case, meaning “outdated.” WAFs serve as reverse proxies, protecting servers from exposure to malicious devices. Just like traditional firewalls, however, WAFs are poorly suited for today’s perimeterless age. WAFs rely on policy engines being able to apply fixed rules and identify known patterns – an approach that simply can’t work in our age of zero-day acceleration. And indeed, in a Ponemon Institute survey, 65% of respondents indicated that attacks on their organizations’ application tiers bypassed their WAFs. WAFs are also management-intensive, requiring an average of 2.5 security admin FTEs to process alerts and write new rules to enhance WAF security, which in the end, are largely ineffective.

Web Application Isolation to the Rescue

Web Application Isolation (WAI) presents a smarter, cloud-first and much more effective alternative to outdated WAFs. WAI inverts Remote Browser Isolation (RBI), leveraging isolation to protect internal networks from risk-laden devices, rather than protecting devices from threats hidden in websites, emails, instant messages and attached files. RBI opens content from websites and emails in single-use, isolated cloud-based containers, where all code – including malware – remains. A safe stream of rendering data is sent to the user’s browser, where they can interact with it as they would with the original website – only without the risk. At the end of the session, the container is destroyed.

WAI routes all interactions between unmanaged devices and your organization’s apps, data and networks via cloud-based containers, creating an airgap that prevents direct interaction. Only safe data that is rendered in the container reaches your network or apps; All other code – malicious or benign – sent from the device remains in the container until the session ends, when it’s destroyed. Even if an unmanaged device is infected with malware, no malicious code reaches your network or apps.

Additional Protections for Your Network

ZTEdge Secure Access for Third Party Unmanaged Devices is unique among WAI providers in that it does not require the contractors, freelancers, or gig workers who access your network to install any software or agents on their computers or mobile devices. All they need is a standard web browser. Your IT department doesn’t need to worry about contractors keeping their software up to date or to remotely manage agent installation.

ZTEdge makes it easy to set highly granular access policies that give contractors access to only the apps and data they need to do their jobs. And when their contracts run out, it is simple to disable their access with just a few clicks.

Sensitive data can be safeguarded from exposure by policies that block downloads and limit or prohibit cut-and-paste capabilities. DLP can be applied as well to protect PII. Because WAI keeps data from being cached in users’ browsers, sensitive data is not at risk in the event that a device is stolen or lost.

Further protections include sanitizing uploads to prevent infection and enabling apps to be used in “read only” mode.

There are benefits to using WAI not just for contractor access but for your website as well. By routing all access via WAI, your website is “dark” to attackers wishing to explore your attack surface. Hackers attempting to probe your site or app will see only a few lines of code generated by ZTEdge RBI.

Securing Access to Cloud-Based Apps

Cloud-based apps have simply become the way many businesses work. As a result, contractors often need access to a company’s cloud-based apps, such as Office 365.

A typical defense used with cloud-based apps is restricting access to particular IP addresses, but with so many workers working from remote locations, and in many cases using a number of networks, IP-based access control is a challenge. Each organization’s WAI tenant, however, has a permanent, location-agnostic IP address. Requiring contractors (and employees, for that matter) to access web apps solely via WAI enables organizations to restrict their activity within the app. Policy-based controls may limit the files a user can access or, for instance, limit them to only viewing files but not making changes.

Conclusion

Third party contractors, freelancers and gig workers are integral and essential to the operations of many businesses. Organizations are becoming increasingly aware of the risk posed by users who access their systems on unmanaged devices, and the very real threat that they present.

ZTEdge provides a simple, affordable way to secure your IT assets in today’s complex world, where users who may or may not be employees are accessing apps and data that may reside on your network or in the cloud. Check out our case study to learn how one multinational IT consultancy secured their HR apps with Ericom Web Application Isolation.


Share this on:

Author Avatar

About Mendy Newman

Mendy is the Group CTO of Ericom's International Business operations. Based in Israel, Mendy works with Ericom's customers in the region to ensure they are successful in deploying and using its Zero Trust security solutions, including the ZTEdge cloud security platform.

Recent Posts

Air Gapping Your Way to Cyber Safety

Physically air gapping enterprise networks from the web is a great way to protect operations, keep data safe … and squelch productivity. Virtual air gapping is a better approach.

Motion Picture Association Updates Cybersecurity Best Practices

The MPA recently revised its content security best practices to address, among other challenges, the issue of data protection in the cloud computing age.

FTC Issues Cybersecurity Warning for QR Codes

QR codes on ads are a simple way to grab potential customers before they move on. No wonder cybercriminals are using QR codes, too.