Expanding Gig Economy Raises Security Concerns
COVID-19 has fundamentally changed traditional labor models and employment conditions. Many 9-5 office workers, having proved they can be just as productive working from home, expect flexible arrangements to continue post-pandemic, including the option to work from anywhere. And, at a time when all organizations are carefully managing human capital expenses, the demand for gig workers to fill resource gaps grew at an exponential rate. In fact, amid the pandemic, 23 million new participants—in the US alone— joined the gig economy to supplement their income or to become full-time independent workers.
According to a study by ADP Research Institute, the gig economy accounts for a third of the world’s working population and includes a wide variety of positions. Whether hiring artistic labor or deep technical expertise, or arranging for the short-term help of personal assistants, the gig economy enables organizations to be increasingly nimble and efficient in making use of outside talent at just the right times with as few hurdles or delays as possible.
As the demand for alternative labor arrangements grows, the use of software and web-based platforms to facilitate and automate gig work has evolved. Early examples include the use of technology to facilitate peer-to-peer transactions (e.g., Airbnb, Uber). Today, gig platforms support a wide array of digital transactions involving the exchange of goods and services, as well as sensitive data.
Gig workers are unique insider threats
While the benefits of the gig economy are evident for both employers and workers, the practice of hiring outside talent or leveraging unvetted platforms fundamentally clashes with the business imperative to monitor and safeguard sensitive data. Existing large-scale breaches of corporate networks have been tied to outside contractor and vendor firms. For example:
- In 2013, the large-scale hack of retailer Target was traced back to their HVAC vendor
- In 2018, cybersecurity firm BitSight found that over 8% of healthcare and wellness contractors had disclosed a data breach since January 2016, along with 5.6% of aerospace and defense firms
- In 2020, a ransomware attack on Visser Precision exposed NDA and product plans for Tesla and SpaceX
In these cases, firms rather than individuals were implicated, but the threat is clear and known that trusted insiders of any stripe pose a security risk. Unfortunately, gig workers who require remote access to corporate data to do their work, are least visible to security teams.
To complicate matters further, gig workers often use their own equipment and network connections to perform work for multiple companies at the same time. This means traditional visibility instrumentation such as client agents or VPNs may be restricted. Direct oversight in many cases is not feasible, resulting in a reliance on automation to provision, facilitate, and de-provision appropriate network and application access.
Machine learning has become increasingly utilized to help security teams grapple with increasing scale and decreasing visibility. Here too, gig work poses unique problems: how does one produce behavioral baselines for an actor who only uses the network for a few days or weeks and then never again? Once produced, how can they be effectively managed and utilized?
Are your security controls adequate?
Despite these challenges, organizations still need effective strategies to determine whether their data is safe and to feel confident that they can identify and deal with any threats.
Emerging security approaches such as Secure Access Service Edge (SASE) and Zero-Trust Network Access (ZTNA), coupled with well-defined, role-based access control (RBAC) will be necessary to effectively manage gig workers according to principles of least access. But provisioning access is only part of the security story.
Network visibility has always been a critical component of ensuring that security controls are effective. New sources of telemetry will be needed to complete the picture, coupling events from SASE components with traditional packets and flows to paint a full picture of interactions from start to finish. Policy-aware visibility and population-based machine learning techniques will be needed to help analysts make sense of what they’re looking at—alongside, perhaps, techniques not yet dreamed up.
In addition to technology-based controls, organizations should establish clear, contractually-imposed requirements for gig workers, covering basics like antivirus software on their laptops to expectations for handling data upon finishing their assignments. Essentially, when it comes to gig workers, organizations can’t sacrifice proper vetting and due diligence for speed.
Flexible, distributed work is here to stay
The gig economy has brought dynamic growth to companies and flexible opportunities to workers. But business and IT leaders need to be prepared for the visibility and security challenges posed by gig workers—as well as their own employees who are working remotely—because these trends represent the future of work.
At Riverbed, we see our role as trusted visibility advisor to our customers to help guide them through the challenges of maintaining visibility—and thus security and auditability—while staying nimble. We continually monitor, plan and innovate to address these trends so that our customers can take full advantage of modern work practices, as well as transformative technologies, without giving up control over security and performance.