Today’s employment landscape is dramatically different than it was even a few years ago, thanks in great part to the increasing popularity of freelancing. This form of employment offers immense freedom of choice and work-life balance for employees, and businesses that employ freelancers enjoy significant savings on benefits like paid time off, health insurance and retirement plans.
The popularity of freelancing has dramatically increased in the past few years, as research from Upwork indicates. Their Freelancing in America report from 2017 reveals some startling insights about the continued boom in freelance work, including these striking highlights:
- Nearly half of all Millennials in the workforce are freelancers already.
- 36 percent of American workers are freelancing, contributing $1.4 trillion annually to the economy.
- The freelance workforce is growing faster than the overall workforce and is expected to become the majority by 2027.
With benefits for both workers and the businesses that contract them, there will be no stopping the freelance frenzy anytime soon. However, in their quest to capitalize on this growing trend, organizations all too often overlook one critical thing — data security. Understanding the vulnerabilities freelancers introduce to your business as well as the rules and regulations surrounding freelancer security is vital to safely taking advantage of the freelance economy.
Table of Contents
- Is Freelancing a Security Threat?
- Regulations for Freelancer Security
- The Road to Security: What Is the Next Step?
- Ongoing Security Management
Is Freelancing a Security Threat?
While building a roster of freelancers can free up funds and increase productivity for your organization, it can also expose your data to unnecessary vulnerabilities. In general, freelancers are viewed as a threat to data security. An iPass survey of 500 IT decision-makers in the U.S., U.K., Germany and France showed that more than half of CIOs suspect that mobile workers have caused a problem with security or been hacked within the past year.
Given that remote work is one of the biggest perks of freelancing, this statistic is deeply troubling. Let’s look at the top three ways freelancers can compromise your organization’s data.
1. Personal Devices
It’s not always financially feasible for organizations to provide even their full-time employees with company-owned devices, let alone to offer them to freelancers. This means that freelance workers are often using their personal smartphones, tablets and computers to handle any data they have access to.
The mixing of personal and company data on any given device means a portion of your organization’s information is at the mercy of a freelancer’s whims. If they decide to download a sketchy app on their lunch break, any malware it carries will be able to target the worker’s information and your company’s in one fell swoop.
2. Public Networks
The idyllic stereotype of the coffee shop as an office is a reality for many freelancers, and that means using whatever public network is available. In the iPass study, 27 percent of respondents reported that their company bans the use of free WiFi hotspots at all times, while 40 percent ban free WiFi under certain circumstances.
Companies that don’t have a policy regarding public networks or don’t ensure freelancers adhere to an existing policy are overlooking a significant security risk. There may not be a hoodie-clad hacker lurking in every coffee shop corner, but handling any company information over a public network is simply bad practice.
Companies are becoming savvier when it comes to enforcing secure connections for remote workers. iPass reports that in 2016, only 26 percent of enterprises expressed full confidence that remote workers used a virtual private network (VPN) every time they accessed the internet. In 2018, the figure was a much-improved 46 percent. However, that means more than half of businesses are still neglecting the danger posed by public networks.
3. Lack of Training
Cybersecurity training is a crucial line of defense that most companies don’t implement even for their full-time employees. Only 45 percent of organizations have security awareness training that all employees must complete, leaving well over half of businesses without comprehensive programs that could prevent a costly data breach.
Because freelancers often work remotely, they rarely receive the same level of training as their on-site peers when working with an organization. In many cases, businesses don’t require freelancers to participate in formal training but expect them to uphold compliance on their own. Without safeguards like VPNs and strict policies in place, a business can’t know whether a freelancer is actually aware of best data security practices.
Regulations for Freelancer Security
Regulatory compliance is a critical element in any business, and tightening protections for private data are highlighting some of the risks associated with hiring freelancers. Businesses that operate in the U.S., Europe or both are facing higher scrutiny and a need to improve freelancer management to remain compliant with new privacy laws.
1. U.S. Data Privacy Laws
The United States doesn’t have one single federal law that governs data privacy. Instead, a patchwork of regulations covering different industries and entities gives businesses a complicated security landscape to navigate. The Health Insurance Portability and Accountability Act (HIPAA) is the most well-known data protection regulation, applicable to certain entities and particular types of health-related data.
New data privacy measures focus on broad consumer data. The California Consumer Privacy Act (CCPA) of 2018 will become enforceable in 2020, and it places some of the most stringent data protections in the nation. It will guarantee consumers’ rights to:
- Know what data organizations collect about them
- Opt out of data sales to third parties
- Access and download data collected about them
- Transfer their data to a different service
- Delete their data
The law also allows consumers to sue companies in the event of a data breach. If a company is found to be non-compliant with the new law, California’s attorney general will levy fines against the offending organization.
Other U.S. states are following California’s lead and enacting new data protection laws to restrict what companies can do with consumer information. Vermont became the first state to enact regulations on data brokers. Alabama and South Dakota became the last states to implement data breach notification laws. Arizona, Colorado, Oregon and Virginia expanded the definition of personal information, while New Jersey and Rhode Island are planning to implement laws similar to the CCPA.
2. European Data Privacy Laws
Implemented in May 2018, the General Data Protection Regulation (GDPR) is the strictest privacy law in the world. It applies to any business that holds the data of any individual residing in any of the 28 countries of the European Union (EU). The legislation applies to two types of data-handlers — processors and controllers.
According to Article 4 of the GDPR, a controller is a person, public authority or organization that “determines the purposes and means of processing of personal data.” A processor is an entity that processes personal data on the controller’s behalf.
Personal data includes any information that relates to a particular individual. This can be anything from a name or location data to other factors “specific to the physical, physiological, genetic, mental, economic, cultural or social identity” of a person. This extremely broad definition of data means that almost any kind of data is regulated under the GDPR. There are eight basic rights people have under this law:
- Right to access: People can request access to their data and find out how organizations gathered it. If a consumer wants a copy of the data, companies must provide it.
- Right to be forgotten: If consumers withdraw their consent, companies must delete personal data.
- Right to data portability: People are allowed to move their data from one service provider to a different one.
- Right to be informed: Companies must inform people before any data is gathered, and individuals must opt in. There is no implied consent under the GDPR.
- Right to correct information: If people find out that their data is incorrect, they have the right to request that it be updated.
- Right to restricted processing: Individuals can request that companies don’t use their data for processing.
- Right to object: People can stop companies from using their data in direct marketing. Companies have to stop as soon as they receive a request.
- Right to be notified: Data breaches must be reported to each affected individual within 72 hours of discovery.
All of this means that your organization’s freelancers have more to keep track of than ever before when it comes to handling data securely. If your freelancers make a mistake that leads to a data breach, your company could be liable and face heavy fines. Breaking the GDPR comes with two levels of consequences.
The lower level of fines will see businesses lose up to €10 million or 2 percent of the company’s worldwide revenue. If a company triggers the upper level of fines, the business must pay up to €20 million or 4 percent of its worldwide revenue from the prior year. With stakes this high, no organization can afford to overlook the relationship between data security and freelancers.
The Road to Security: What Is the Next Step?
The risks inherent in working with freelancers shouldn’t scare you off of hiring them entirely. Taking appropriate steps to mitigate risk and manage data security will go a long way toward ensuring regulatory compliance while still allowing your business to take advantage of this workforce trend. Here are five steps to take before bringing on your next batch of freelancers.
1. Offer Comprehensive Training
Freelancers should already have plans in place to ensure compliance with all applicable regulations. However, companies should provide at least some training during onboarding to make sure you’re both on the same page when it comes to expectations. If you have a security handbook, make sure freelancers have access to it, too.
Offering training is a smart way to bolster compliance while letting your freelancers know that you take them seriously and want them to succeed in your partnership.
2. Implement Access Controls
To make sure no one sees or handles data they don’t need to, putting data access controls in place is the first place to start. Create role-based access, and ensure there’s a system in place to quickly remove access privileges when a project ends or access is otherwise terminated. A “least privilege” approach in which every individual in the company only has access to the data they need is crucial.
3. Uphold a VPN Policy
It’s essential that remote workers and freelancers always access company and consumer data through a VPN. The end-to-end encryption provided by a VPN defends data from would-be hackers and the pitfalls of unsecured network connections. In combination with firewalls and antivirus protection, VPN use is the best way to keep data secure throughout remote access.
4. Implement Device Management
One way to reduce the risks of freelancers using their own devices is to implement a mobile device management (MDM) system. The most important features to have in case of a data breach are remote lock and remote wipe, which allow an organization’s IT team to lock down or erase data if a device is lost or stolen.
The most advanced MDM systems offer granular selective wipe, which can identify and remove only the data belonging to your organization while leaving the freelancer’s personal files intact.
5. Consider Bringing in Experts
If this sounds like a lot to process, you’re not alone. Only 14 percent of small and medium-sized businesses (SMB) rate their ability to mitigate cyber risks and vulnerabilities and fend off cyberattacks as “highly effective.” In many cases, the capabilities of in-house IT teams don’t extend to network and data security. It may be because they lack security-specific training or because their day-to-day duties don’t leave time for adequate enforcement of security measures.
Operating a small business means working with a tight budget, and cybersecurity isn’t an area where any organization can skimp. Managed services like cyber threat detection and log management allow SMBs to get the same level of security enjoyed by large enterprises, without the price tag associated with buying and operating their own equipment.
Ongoing Security Management
Working with freelancers can be risky, and even with data security policies in place, it can be difficult to enforce them efficiently. Without adequate security management that covers the complexities of working with freelancers, companies expose themselves to the massive fines and loss of reputation that come with data breaches.
BlackStratus understands the worry and headache of trying to coordinate and implement data security measures on a budget, which is why we’re proud to offer affordable security management services to SMBs. From initial risk and liability assessment to the deployment of advanced monitoring systems, BlackStratus is ready to get your organization’s data security into shape. With platforms built around multiple types of compliance, you can rest assured knowing that each of our solutions is tailored to all applicable regulations.
Ready to find out more? We’re happy to answer any questions you may have about how our solutions can resolve your organization’s outstanding security issues and prevent new ones from arising. Give us a call at 844-564-7876, or send us a message through our quick and easy contact form. You can even request a demonstration of our platforms to get a clearer understanding of how our services work. You’ll see that better security starts with BlackStratus.
- How Much Control Over Data Do Your Customers Have?
- 10 Mistakes Businesses Make Before and After a Data Breach
- 7 Types of Cyber Attacks Small to Medium-Sized Businesses Face
- Importance of Cybersecurity Awareness Training for Your Employees