If You Use Freelancers, Do You Need to Educate Them About Security Awareness?
Hopefully, your freelancers are security-aware. However, it is up to you to put policies into place to protect yourself from rogue or shoddy security practices by any employee, on-site or remote. Similarly, it is up to remote workers to protect themselves from vulnerable clients when working from home.
In this article, we will look at why security awareness for freelancers is important and provide some tips and insights to help you include remote workers in your security culture.
Why Is It Important a Business Knows a Freelancer Is Security-Aware?
Business systems face risks from any external entities that have access to their networks, including third-party vendors, consultants, short-term contractors, employees using their personal devices at work (BYOD) and guests.
Freelancers are easy targets for cybercriminals (and, by extension, potentially you). According to an article by Kaspersky, this is largely because freelancers communicate and exchange media with a wide array of clients “they don’t know personally.”
On Twitter, the MalwareHunterTeam warned that fraudsters were targeting freelancers by advertising work on online jobs boards. The details of these jobs were supposedly contained in a .doc file, a file format some people regard as safe to download. As Kaspersky notes, it is not only executables that are dangerous; Office documents may contain macros that install Trojans and other malware on users’ computers.
Never enable macros (Source: MalwareHuntTeam)
An Imation survey of 1,000 UK and German remote workers that found an astonishing percentage had a laissez-faire attitude to security:
- Only 36 percent said they encrypted their data
- 40 percent had lost or had a device stolen or knew someone who had
- 8 percent acknowledged they had knowingly broken a client’s security policy
According to Cisco’s 2018 Mobile Security Report, more than 50 percent of CIOs surveyed said they suspected their mobile workers had caused a security issue in the previous year.
Business concerns about remote workers (Source: iPass)
How Can a Business Educate Freelancers About Security Awareness?
Role-Based Security Awareness
People’s attitudes to security vary. An interview with a remote worker, references and job history can give you an indication of how professional, conscientious and security-savvy an individual is. If you are still bent on employing someone displaying a somewhat lackadaisical approach to security, you should include them in your in-house security awareness program or devise a custom program for them, one which will be handy for any third parties you work with too. It is easier than you think, as a security awareness program should be role-based anyway.
[FREE Posters] Warn End Users About Threats Lurking in Their Inboxes
Warn your workforce about threats lurking in their inbox. Hang a new poster in common areas every week to boost security awareness in a fun, digestible way.
12 Tips for Including Freelancers in Your Security Culture
Awareness training doesn’t have to be conducted on-site. There are many ways you can keep your freelancer up to date with security issues, share your security policies and conduct training exercises.
There are also tons of free and paid applications to help you work more effectively with freelancers. Do try not to bog them down too much with complex workflow processes or request they download desktop software, as they probably have different procedures for each client. Lackadaisical remote workers may try to circumvent these controls.
- Security handbook: Do you have a security handbook? Templates are widely available in PDF or .doc formats. Keep your security memos, policy handbook and news and events in a centralized Wiki or online repository for easy access. You could use Dropbox for Business to share documents with your freelancers and keep them off your network completely.
- NDA: Always make a freelancer sign a non-disclosure agreement. You can download one-way and mutual NDA templates from Legal Templates.
- Password control: One of the most important aspects of security, but you won’t know whether your freelancer is using strong passwords at home while working on your confidential projects. Sometimes difficult to enforce with a freelancer, at the very least you can make them aware of it. Suggest they download an open-source password manager like KeePass, “arguably the most trusted password manager invented” according to Hacker Noon.
- Secure mobile messaging: Use secure messaging to communicate with your freelancer. Be aware of the risks in communicating confidential information in emails and messaging apps. Softpedia recently reported the case of a WhatsApp user finding that “when setting up WhatsApp on a new device using a new phone number, the full message archive of the previous owner was restored on the phone.” At the time of writing, WhatsApp had not responded to what seems to be (another) bug in the software. Make Tech Easier has reviewed a number of alternatives, including apps that allow you to schedule message self-destructs.
- Web collaboration: Use Trello to track the progress of multiple users on big projects.
- Online group training: Involve your freelancer in online training with other employees. Remote workers benefit from being included in a team so they can keep abreast of developments at an organization, get to know their colleagues and freely exchange knowledge. It will also make them more amenable to following company security best practices.
From Apache: “OpenMeetings provides video conferencing, instant messaging, white board, collaborative document editing and other groupware tools using API functions of the Red5 Streaming Server for Remoting and Streaming.” Totally free.
- VPN: Remote workers should always work through a Virtual Private Network (VPN) on all their devices.
- Data access: Configure strict role-based access controls to your data (the “least privilege” protocol) and make sure your freelancer only has access to the information they need to do the job. Set up a sandpit environment for freelancers documenting your system to explore products. Remove all access privileges from the freelancer when the project ends.
- Two-factor authentication: If your freelancer needs to access your network, make sure you use 2FA. One common form of 2FA is when, after entering their password, a code is sent to their cell phone to verify their credentials.
Keeping It Simple
- Isolate tasks: Break jobs down into small chunks which can be secured on completion so that if a remote worker’s device is breached, less data is compromised.
- Be sensitive about your freelancer’s own security issues: Freelancers don’t know if the job they’ve landed on Fiverr or Upwork is genuine or a ploy to trap and attack them. Neither do they know if genuine client has sloppy security, sending them documents riddled with viruses or giving them access to a network you are not aware is compromised. Send them the complete guide to freelancer security from InfoSec Institute: Security Awareness Issues For Remote Workers.
- Make security awareness fun: More organizations are beginning to realize the value of games to reinforce security awareness training.
In Conclusion: DO You Need to Educate Freelancers About Security Awareness?
A global Cisco study found that although remote workers claimed to be aware of security issues (66 percent in the U.S.), their behavior indicated they did not necessarily know how to practice good security. For instance, 30 percent of the workers surveyed said they used their client’s computer for personal use and 43 percent of global workers surveyed admitted to online shopping on work computers for the reason that they would never have the time to get personal things done if they didn’t do them at work.
By choice, freelancers tend to prefer to work alone. It is important to be sensitive to their needs and integrate them into your security culture with as little effort needed on their part as possible.
- 6 security tips for freelancers, Kaspersky
- MalwareHuntTeam, Twitter
- Imation security survey, Imation
- 2018 Mobile Security Report, iPass
- WhatsApp fixes bug that let hackers take over app when answering a video call, ZDNet
- Cuberdom spots security breach in 3 banking apps, New Indian Express
- 3 ways to use Dropbox for Business to work smarter with freelancers, Dropbox
- Creating Non-Disclosure and Confidentiality Agreements, Legal Templates.net
- The Best Password Manager for You, Hacker Noon
- Possible Bug in WhatsApp May Provide Others With Access to All Your Messages, Softpedia
- 10 Alternatives to Whatsapp that Actually Respect Your Privacy, Made Tech Easier
- OpenMeetings, Apache
- Security Awareness Games, University of Adelaide
- Understanding Remote Worker Security: A Survey of User Awareness vs. Behavior, Cisco