If You Use Freelancers, Do You Need to Educate Them About Security Awareness?
Hopefully, your freelancers are security-aware. However, it is up to you to put policies into place to protect yourself from rogue or shoddy security practices by any employee, on-site or remote. Similarly, it is up to remote workers to protect themselves from vulnerable clients when working from home.
In this article, we will look at why security awareness for freelancers is important and provide some tips and insights to help you include remote workers in your security culture.
Two year's worth of NIST-aligned training
Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.
Why Is It Important a Business Knows a Freelancer Is Security-Aware?
Business systems face risks from any external entities that have access to their networks, including third-party vendors, consultants, short-term contractors, employees using their personal devices at work (BYOD) and guests.
Easy Targets
Freelancers are easy targets for cybercriminals (and, by extension, potentially you). According to an article by Kaspersky, this is largely because freelancers communicate and exchange media with a wide array of clients “they don’t know personally.”
On Twitter, the MalwareHunterTeam warned that fraudsters were targeting freelancers by advertising work on online jobs boards. The details of these jobs were supposedly contained in a .doc file, a file format some people regard as safe to download. As Kaspersky notes, it is not only executables that are dangerous; Office documents may contain macros that install Trojans and other malware on users’ computers.
Never enable macros (Source: MalwareHuntTeam)
Poor Attitudes
An Imation survey of 1,000 UK and German remote workers that found an astonishing percentage had a laissez-faire attitude to security:
- Only 36 percent said they encrypted their data
- 40 percent had lost or had a device stolen or knew someone who had
- 8 percent acknowledged they had knowingly broken a client’s security policy
Business Concerns
According to Cisco’s 2018 Mobile Security Report, more than 50 percent of CIOs surveyed said they suspected their mobile workers had caused a security issue in the previous year.
Business concerns about remote workers (Source: iPass)
How Can a Business Educate Freelancers About Security Awareness?
Role-Based Security Awareness
People’s attitudes to security vary. An interview with a remote worker, references and job history can give you an indication of how professional, conscientious and security-savvy an individual is. If you are still bent on employing someone displaying a somewhat lackadaisical approach to security, you should include them in your in-house security awareness program or devise a custom program for them, one which will be handy for any third parties you work with too. It is easier than you think, as a security awareness program should be role-based anyway.
[FREE Posters] Warn End Users About Threats Lurking in Their Inboxes
Warn your workforce about threats lurking in their inbox. Hang a new poster in common areas every week to boost security awareness in a fun, digestible way.
Download These Free Training Posters
12 Tips for Including Freelancers in Your Security Culture
Awareness training doesn’t have to be conducted on-site. There are many ways you can keep your freelancer up to date with security issues, share your security policies and conduct training exercises.
There are also tons of free and paid applications to help you work more effectively with freelancers. Do try not to bog them down too much with complex workflow processes or request they download desktop software, as they probably have different procedures for each client. Lackadaisical remote workers may try to circumvent these controls.
Documentation
- Security handbook: Do you have a security handbook? Templates are widely available in PDF or .doc formats. Keep your security memos, policy handbook and news and events in a centralized Wiki or online repository for easy access. You could use Dropbox for Business to share documents with your freelancers and keep them off your network completely.
- NDA: Always make a freelancer sign a non-disclosure agreement. You can download one-way and mutual NDA templates from Legal Templates.
Software
- Password control: One of the most important aspects of security, but you won’t know whether your freelancer is using strong passwords at home while working on your confidential projects. Sometimes difficult to enforce with a freelancer, at the very least you can make them aware of it. Suggest they download an open-source password manager like KeePass, “arguably the most trusted password manager invented” according to Hacker Noon.
Collaboration
- Secure mobile messaging: Use secure messaging to communicate with your freelancer. Be aware of the risks in communicating confidential information in emails and messaging apps. Softpedia recently reported the case of a WhatsApp user finding that “when setting up WhatsApp on a new device using a new phone number, the full message archive of the previous owner was restored on the phone.” At the time of writing, WhatsApp had not responded to what seems to be (another) bug in the software. Make Tech Easier has reviewed a number of alternatives, including apps that allow you to schedule message self-destructs.
- Web collaboration: Use Trello to track the progress of multiple users on big projects.
- Online group training: Involve your freelancer in online training with other employees. Remote workers benefit from being included in a team so they can keep abreast of developments at an organization, get to know their colleagues and freely exchange knowledge. It will also make them more amenable to following company security best practices. From Apache: “OpenMeetings provides video conferencing, instant messaging, white board, collaborative document editing and other groupware tools using API functions of the Red5 Streaming Server for Remoting and Streaming.” Totally free.
Access Control
- VPN: Remote workers should always work through a Virtual Private Network (VPN) on all their devices.
- Data access: Configure strict role-based access controls to your data (the “least privilege” protocol) and make sure your freelancer only has access to the information they need to do the job. Set up a sandpit environment for freelancers documenting your system to explore products. Remove all access privileges from the freelancer when the project ends.
- Two-factor authentication: If your freelancer needs to access your network, make sure you use 2FA. One common form of 2FA is when, after entering their password, a code is sent to their cell phone to verify their credentials.
Keeping It Simple
- Isolate tasks: Break jobs down into small chunks which can be secured on completion so that if a remote worker’s device is breached, less data is compromised.
- Be sensitive about your freelancer’s own security issues: Freelancers don’t know if the job they’ve landed on Fiverr or Upwork is genuine or a ploy to trap and attack them. Neither do they know if genuine client has sloppy security, sending them documents riddled with viruses or giving them access to a network you are not aware is compromised. Send them the complete guide to freelancer security from InfoSec Institute: Be cybersecure when working remotely.
- Make security awareness fun: More organizations are beginning to realize the value of games to reinforce security awareness training.
In Conclusion: DO You Need to Educate Freelancers About Security Awareness?
Yes.
A global Cisco study found that although remote workers claimed to be aware of security issues (66 percent in the U.S.), their behavior indicated they did not necessarily know how to practice good security. For instance, 30 percent of the workers surveyed said they used their client’s computer for personal use and 43 percent of global workers surveyed admitted to online shopping on work computers for the reason that they would never have the time to get personal things done if they didn’t do them at work.
By choice, freelancers tend to prefer to work alone. It is important to be sensitive to their needs and integrate them into your security culture with as little effort needed on their part as possible.
Get six free posters
Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.
Sources
- 6 security tips for freelancers, Kaspersky
- MalwareHuntTeam, Twitter
- Imation security survey, Imation
- 2018 Mobile Security Report, iPass
- WhatsApp fixes bug that let hackers take over app when answering a video call, ZDNet
- Cuberdom spots security breach in 3 banking apps, New Indian Express
- 3 ways to use Dropbox for Business to work smarter with freelancers, Dropbox
- Creating Non-Disclosure and Confidentiality Agreements, Legal Templates.net
- The Best Password Manager for You, Hacker Noon
- Possible Bug in WhatsApp May Provide Others With Access to All Your Messages, Softpedia
- 10 Alternatives to Whatsapp that Actually Respect Your Privacy, Made Tech Easier
- OpenMeetings, Apache
- Security Awareness Games, University of Adelaide
- Understanding Remote Worker Security: A Survey of User Awareness vs. Behavior, Cisco
In this Series
- If You Use Freelancers, Do You Need to Educate Them About Security Awareness?
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness