5 Minutes with: Jasson Casey, CTO at Beyond Identity

In today's highly-connected world, organisations increasingly opt for a gig model, leading to short-term workers and contractors plugging many of the skills gaps impacting organisations. However, gig workers can pose serious cybersecurity risks for the company by remotely accessing sensitive corporate data on their own devices.

This month, Cyber Magazine hears from Jasson Casey, Chief Technology Officer at Beyond Identity, about the cybersecurity risks posed by the gig economy and the need for innovative solutions.

Before his current role, Casey served as CTO of SecurityScorecard, VP of Engineering at IronNet Cybersecurity, and Founder and Executive Director of Flowgrammable, among other technical and executive roles.

How is cybersecurity at risk from gig workers?

JC: As the world becomes increasingly connected, more businesses and workers are embracing the gig model, with companies opting for short-term workers and contractors over full-time employees, leading to the growth of the gig economy. 

In 2021, over one-third of the US workforce freelanced, totalling 59 million Americans, and as of January 2023, freelancers represented 17.5% of the entire UK workforce. Although the gig economy offers advantages to independent contractors, using personal devices to access sensitive corporate data can pose serious cybersecurity risks for companies. It is essential to understand these risks and implement robust security protocols and proactive measures.

Research by Beyond Identity indicates that short-term contractors may enjoy long-term access to corporate data and accounts. They may also be accessing this data from devices that are not well secured. This access ranges from financial affairs (87%) to communications channels (64%) to operational processes (63%). This risks significant corporate data breaches, social media hacks and phishing attempts.

Why is following protocol so important?

JC: Contractors are also less likely to follow established security protocols to protect devices. According to the survey findings, 62% of companies required contractors to adhere to security protocols during the onboarding process. Most gig workers surveyed reported complying with this requirement by using complex passwords that are regularly changed. While multi-factor authentication and firewalls were identified as top security measures contractors took to guard against cyberattacks, less than half of the respondents confirmed using these safeguards.

There are over 2,000 cyber attacks every day, leading to more than 800,000 people or businesses being compromised each year. One of the leading causes is human error, with 88% of attacks attributed to mistakes. Failure to adhere to security protocols can thus have significant consequences.

Sadly, the research revealed that 76% of freelancers had been hacked while working on a gig. This has resulted in 64% having an average of US$260 stolen, usually by unauthorised purchases. At the same time, 60% of gig worker usernames and passwords have been stolen, providing an access point for data theft.

Tell us about the importance of putting training first?

JC: Hacking attacks are frequently the result of employee mistakes, making those who use gig workers responsible for ensuring they are adequately trained in cybersecurity processes. Adversary methods change constantly, and we need to stay up-to-date with all the latest techniques. Prevention is better than a cure, so organisations should start with a robust security protocol and comprehensive training.

Training can be as simple as highlighting the potential harm of phishing scams, malware, and other forms of cyberattacks; encouraging phishing-resistant multi-factor authentication; and teaching about the danger of clicking on unknown links or downloads. Better yet, organisations across the board should move to passwordless technology and phishing-resistant MFA for the internal systems that gig workers access. It is also worth ensuring you hire the right workers by joining the 69% of businesses that perform background checks on gig workers. That helps avoid hiring someone with a history of cybercrime.

How can organisations minimise disruption?

JC: Although many companies prioritise cybersecurity protocols before and during gig work, implementing measures after the gig is over is equally essential, if not more crucial. These post-gig measures are critical to maintaining cybersecurity and ensuring that sensitive data remains protected, which might come as a shock to the 33% of respondents who said that they only sometimes change internal passwords after a gig worker has finished their contract.

Gig workers can also be a source of frustration with regular requests for access. According to the research, 40% of managers are contacted daily for this reason, with another 35% being bothered a few times per week. This adds up to 34 minutes per day spent on these tasks, which explains why it might be tempting to forget to change passwords.

Undoubtedly, COVID-19 and the ongoing evolution of the gig economy have turbocharged the number of contractors. It is clearly a flexible, cost-effective model that has benefits for employers and contractors alike; however, security must remain paramount at all times. Temporary passwords and restricted access are a limited solution but remember to revoke access and update passwords post-contract. That way, both the employer and gig worker can work safely and securely today and in the future.