In a world where remote working, hybrid workforces and tapping into gig economy by hiring freelancers is becoming increasingly commonplace, organizations stand to benefit on a variety of fronts by hiring freelance consultants– right from saving costs on significant projects to collaborating with freelancers on flexible schedules without having to on-board expensive, in-house personnel.
Here’s where the risks of data security, confidentiality and information privacy need to be addressed. Technically, freelancers are external resources hired typically through online freelance platforms and brought into the organizational fold for a temporary duration, and firms have to ensure they have the necessary procedures and protocols in place to guide freelancers.
Here are five steps to execute this, and keep your data secure whilst integrating/hiring freelancers for your projects.
Clarity at Company level
In an increasingly data-driven world, a firm must have the right data management techniques and a clear objective towards execution. This includes questions such as – where the data comes from and how, what this data is used for, and why.
This is essential because of GDPR norms as well, imposing strict security requirements on those who direct and carry out the processing of sensitive customer data. Firms are mandated to implement and follow several protocols, especially those related to determining data controllers and data processors. While the former is an entity that defines the reasons and objectives of processing personal information, the latter is any entity that executes the processing of data on behalf of the controller.
However, companies often apply policies only to their employees and forget about it whilst hiring freelancers. They seem to assume that freelancers do not fit into these definitions. But data security is related to work performance and the level of access one has to data systems, not to the working relationship one has with the company.
For instance, if you hire a freelance medical or life sciences professional from platforms such as Kolabtree, Upwork, etc., to provide you with insights on medical data your firm has collected, ensuring a secure workspace is quite crucial. Most of this is, in fact, covered by these websites themselves. Kolabtree, for instance, offers a foolproof confidential workspace to collaborate with independent scientific consultants, letting you sign customized NDAs before you start working.
This is due to the fact that, even though the hired medical professional does not represent your firm, you still have the responsibility to protect the medical data of thousands of people which the hired freelancer is now privy to. Having stringent T&C, custom agreements, and NDAs might help in this scenario. Creating restrictive access to the data system and creating system flags for any unscrupulous transfer of data is another way to protect the confidentiality of data.
Further, data can generally be organized into five categories: Sensitive, confidential, private, proprietary, and public. This categorization will aid the firm to decide the intensity and number of layers of security to be laid down to prevent data distortion and leakage of data. It will also help in defining job roles better and in also determining the worker’s involvement with data and the level of access they would need.
Through this method, if any unauthorized user tries to access data at a level they are not permitted to, the system will send an alert or ask the user to seek system permission from anyone who has authority to access data at that level. Additionally, these policies and rules for data security should remain attached to that job role, thus, no matter who fulfills the job, employee or freelancer, the system and SOP to be followed remains unchanged.
The data agreements and security training that needs to be given to the person performing the job will also remain the same.
Educating and Training Freelancers
Like employees of the firm, freelancers too should undergo mandatory data security training. Provide them with an orientation toward your organization’s security practices and procedures. Educate them with information that will help them avoid human errors and poor judgment calls that can expose internal data systems to potential hackers.
Basic standard operating procedures, which are simple yet best practices for data protection, have to be revised during their onboarding process. Freelancers usually use their own tools and system to provide services; however, they will have access to the data of your firm. Hence, teaching them the importance of the use of the internet on a computer with antivirus, antimalware, and firewall software installed will go a long way towards ensuring data security.
Additionally, the use of such antivirus software ensures that all files uploaded from USB drivers and those downloaded from emails also get scanned, eliminating potential security threats. Freelancers work in their own time, place, and pace. There might be times when they will have to work on a public network – in a café, during their commute, at a restaurant, hotel, or elsewhere. Ask them to use VPNs in such scenarios. Better yet is to ask them to use mobile hotspots when working in public spaces as one of the modus operandi hackers is to use the names of public Wi-Fi hotspots to set up clone networks for eavesdropping purposes. And, if a connection is approved, they have unlimited access to data on their device.
No matter how careful one is, no approach guarantees 100% risk aversion. Therefore, in case data confidentiality has been unintentionally compromised, imparting the protocols that need to be followed by freelancers to alert the firm is also essential. Freelancers should be informed about the grievance redressal and risk management team of the firm and how to access them when needed.
As freelancers use their personal devices to carry out work, it is difficult to check and enforce if they are using strong passwords. An excellent practice before hiring freelancers would be to ask them to download a password manager, ensuring that the user creates a strong password and that it is changed periodically. This approach will guarantee that your data is secure when the freelancer works on a confidential project.
Since their devices will be carrying your firm’s data, preparing freelancers against potential phishing attempts forms also a vital part of readying them to work for your firm. Ask them to enable the anti-phishing feature of the antivirus software they have or install Chrome extensions to help protect you against phishing attempts. Warn them against opening any link sent by an unknown third party via email or IM.
And say, even if at first such links looked authentic, they need to be mindful of avoiding entering sensitive information on websites accessed through such links unless they are absolutely sure that data is safe. Also, they should be taught that, if possible, it is better to manually type the website URL in the browser instead of clicking a link. Another important lesson to be imparted is that freelancers need to assess if the URL is correct or if it is a modified version of the actual website acting like an imposter. Additionally, with key websites that require a login, they need to pay careful attention to ensure that there is a padlock in the browser bar to secure the site seal.
Extensive Screening before Hiring Freelancers
Vetting freelancers is an important step toward securing data handled by your firm. Although platforms like Kolabtree run extensive background checks and vet scientists thoroughly before they sign up onto the platform, a secondary check from the firm’s side before hiring freelancers would not go amiss.
At times, freelancers can be a bit lacking when it comes to data management and utilization. Run thorough background checks and interview them properly to assess if they have the ability and skills to handle data responsibly. Background checks could include looking at any complaints or bad reviews they have received in the past from clients over freelancing platforms. You can also ask them to give references to past clients where they performed similar roles, and inquire about their work ethic and caliber relevant to handling data.
Further, during the interview, you can ask them to give relevant examples of their previous projects. Here, probe more into how they received the data, what they were required to do with it, what was their process and procedure of working with data, and the steps they took to ensure the safety of data. This approach will help you understand and decide if the freelancer meets the standard you are searching for to match the sensitivities of the work.
Another reason for thorough checks is to prevent potential hackers and blackmailers from joining the firm. Posing as a freelancer gives them a perfect cover to breach into internal security of the firm and bring the whole system down. The firm essentially puts itself in a vulnerable position when it hires freelancers who would have the privilege of accessing sensitive data you own.
An Imation survey of remote workers from the UK and Germany found that, at times, it might be highly difficult to ascertain the authenticity of a freelancer as hackers and blackmailers steal their identity. In 2017, 16.7 million people suffered from identity fraud, and these stolen identities defrauded people out of $ 16.8 billion as per research from Javelin Strategy & Research.
Identity fraud is a huge issue amongst freelancers as all the information is available online, someone can quickly search for them, steal their identity, and use it to give him/herself major leverage when dealing with clients. This makes it imperative that intensive identity checks and verifications are part of your firm’s hiring policy.
Improving and upgrading cybersecurity
Firms are usually engaged in transferring and receiving highly sensitive data on high frequency to and from freelancers. Hence, the firm has to ensure that the CIA triad i.e. Confidentiality, Integrity, and Availability, are fulfilled for information security, especially whilst hiring freelancers.
This is a common model that has formed the foundation for the development of security systems. It is used for searching for vulnerabilities and for devising methods for creating solutions to the potential risk of data leakage and misuse. Confidentiality involves the organization directing efforts to ensure data is kept secret or private. Integrity includes maintaining data’s authenticity, accuracy, and reliability. It also involves making sure that data is trustworthy and free from tampering. Availability means systems, networks, and applications must be functioning as they should and when they should. Data is often useless unless it is available to those in the organization and the customers they serve.
There are various methods to achieve the triad, cryptography being one of them. Cryptography utilizes blockchain security for data integrity and security. It randomizes the data using an encryption key making it incomprehensible to a hacker or unintended receiver. Only the person i.e., the intended receiver of data who has access to the decryption key, will be able to view, understand and use the data.
Similarly, hashing is another method used for data confidentiality. This method uses a hash algorithm to encrypt the data and makes its location untraceable. Anyone, ideally a data controller, with access to key-value pairs only can decipher and utilize the data. The use of a digital signature is another simple yet smart protection of sensitive information of the firm. In this method, the sender sends two documents- message/data and signature. The authenticity of data is verified when the recipient applies a verification technique that includes a combination of the message and the signature.
Teaching freelancers to ensure that apps and software on their devices are regularly up to date is another important lesson. Regular updating enhances the security of data within the devices. Failing to regularly update and patch security devices, applications, operating systems, and software can leave a freelancer susceptible to security gaps that might have been unaddressed in the previous iteration. Additionally, it educates the user about renewed terms and conditions, the basis on which a freelancer can take a call if an app or software is safe to use or not. Again, freelancers must be told to be cautious of fake update alerts sent by hackers to dupe them into downloading infected files.
Encrypting data is another useful way of completing the CIA triad. The Imitation survey of remote workers from the UK and Germany found that only 36 percent of them encrypted data. Hence, a good practice would be to guide the hired freelancers to download encryption software to secure data stored in their devices in case they cannot have access to your enterprise’s security solutions. Data security via this method is guaranteed as if any part of the network gets compromised then the encrypted data will be deemed useless, thus it will remain safe.
Implementing two-factor authentication (2FA) also helps in achieving the CIA triad. It is a two-step verification process in which the user has to provide two different authentication factors to prove they are who they claim to be. For example, the first layer of authentication could be entering login credentials, which can be easily stolen. So, the second layer of authentication could be to enter OTP sent to a registered mobile number or an email address, answer a security question, etc. This method protects the credentials of a user and the resources he/she has access to in a better manner.
Finally, periodic checks on testing and strengthening the firewall is required. Run trials to examine how easy or difficult it is for firewalls of your companies to be breached. Take necessary steps to update the firewall and ready it for any future attacks. Conducting such experiments in a controlled environment will go a long way to keeping the forts of your company intact.
Another good practice for data security is to use secure messaging apps to communicate with freelancers. As per a report by Softpedia, when a user downloaded WhatsApp on a new phone using a new phone number, he saw that all messages from the previous owner of the number were restored to his device. Use of slack, Microsoft teams, and signal are safer bets to keep in contact with your freelancers. Further, tools like Trello can come to your rescue if you want to track the progress of multiple users on big projects. Trello is a visual tool that gives you a bird’s eye view of the type of project running, workflow, or tasks getting executed and assures complete data safety.
Contingency Plan whilst Hiring Freelancers
No plan or method is exhaustively fail proof enough to prevent a breach. Therefore, having the foresight to devise a contingency plan before hiring freelancers is vital. It prepares your firm for the worst-case scenario, not just saving your company’s reputation but also keeping it from losing millions of dollars for violations of compliance. As per the Imation survey referenced throughout this article, 40 percent of people had lost or had their device stolen or knew someone who had. This means that you could easily be held responsible for the actions of a freelancer associated with your firm.
Therefore an emergency plan when hiring freelancers can help ensure your firm has its resources ready and has a set of instructions to be followed for sealing the breach and be prepared for what comes next, whether that is getting legal assistance, having insurance policies, data recovery plans, or notifying any partners of the issue. Having a P R response ready will be the firm’s saving grace in such situations, since the firm is accountable and answerable to the public and government. A well-balanced and dynamic response is a non-negotiable step that a firm has to take during such unfortunate fiascos.