Working with freelancers has long become a routine for many managers. Even in a large organization, not all tasks can be solved within the team, not to mention small businesses, who usually cannot afford hiring an additional employee. But connecting an outsider to the digital workflow can introduce additional cyber risks, especially when you work with a person directly without an intermediary agency.
Dangers in incoming e-mail
You should start thinking about potential threats when searching for the right freelancer. It is unlikely that you will hire someone without looking at their portfolio. A freelancer can send you a document, an archive with set of works, or a link to a third-party site, and you probably will be forced to follow the link or open the file. But in fact, almost anything can be in that file or site.
Researchers regularly discover vulnerabilities in browsers or office suites. More than once attackers have managed to seize control of corporate computers by inserting malicious scripts into a text document or by embedding an exploit pack in website code. But sometimes such tricks may not be necessary. Some employees are ready to click on a received file without looking at the extension and launch an executable.
Keep in mind that an attacker can show an absolutely normal portfolio (not necessarily with their own works) and send a malicious file later as a result of a task. Furthermore, someone can take control of a freelancer’s computer or mailbox and use them to attack your company. After all, no one knows how their device or account is protected and your IT security has no control over what is happening there. You should not consider received files as trusted even if they came from a freelancer with whom you have been working for years.
Countermeasures
If you need to work with documents created outside of the company infrastructure, maintaining digital hygiene is of the utmost importance. All employees should be aware of the relevant cyberthreats, so it is worth to raise their level of security awareness. In addition, we can give some practical advice:
- Set strict rules for document exchange, inform freelancers, and do not open files if they do not comply with these rules. Self-extracting archive? No thanks. An archive with a password that is specified in the same letter? This may only be needed to bypass e-mail antimalware filters.
- Dedicate a separate computer, isolated from the rest of the network, or a virtual machine to work with files from external sources, or at least check them. This way you can significantly reduce any potential damage in the event of an infection.
- Be sure to equip this computer or virtual machine with the security solution to block the exploitation of vulnerabilities or clicking on a link to a malicious website.
Access rights
Let’s assume that you found the needed external specialist. To collaborate on a project, freelancers often get access to the company’s digital systems: file sharing platforms, project management systems, conferencing services, internal messengers, cloud services, and so on. Here you must avoid two mistakes — do not give the freelancer excessive rights and do not forget to revoke access after the work is completed.
When it comes to granting rights, it’s best to follow the principle of least privilege. A freelancer should only have access to those resources that are needed for the current project. Unlimited access to file storage or even chat histories with can pose a threat. Do not underestimate the information stored even in auxiliary services. According to media reports, the Twitter hack of 2020 began when attackers got access into the organization’s internal chat. There, using social engineering methods, they were able to convince a company employee to give them access to dozens of accounts.
Revocation of rights after the end of the project is also not a formality. We are not saying that having completed the work, the freelancer will necessarily begin to hack your project management system. The very existence of an additional account with access to corporate data is not a good thing. What if the freelancer set a weak password or reused the password from their other accounts? In the event of a leak, there’s an additional point of vulnerability in your corporate network.
Countermeasures
The most important thing is to delete or deactivate the freelancer account after the end of the employment relationship. Or at the very least, change the associated mail and password — this may be required in systems that delete all data associated with account. In addition, we recommend:
- Keeping a centralized record of who has access to which services. On the one hand, this will help you revoke all rights after the end of the project, and on the other hand, it can be useful when investigating an incident.
- Requiring contractors to maintain good digital hygiene and use security solutions (at least free ones) on the devices they use to connect to company resources.
- Enforcing two-factor authentication in all cloud systems wherever possible.
- Setting up a separate infrastructure for the freelancers’ and subcontractors’ projects and files, if possible.
- Scanning all files uploaded to the cloud storage or corporate server for malware.