It’s increasingly common for companies of all sizes to work with contractors and freelancers on various projects. You might hire a freelancer as part of your development team for content creation, social media management, or a particular technical project.
There are plenty of benefits to working with these professionals. For example, you gain access to a wider talent pool when you’re willing to work with freelancers. You can fill very specific skill sets, and you can reduce your overhead.
One of the potential downsides, however, can be how you manage their access to your sensitive information and data.
When you have employees, even when they’re working remotely, with an identity and access management (IAM) strategy in place, you can track who’s doing what and where they’re doing it. It can be a bit tricker with freelancers and contractors.
The following are things to know about cybersecurity and particularly providing access to workers who aren’t officially employees.
7. Cybersecurity Tips When You Work with Contractors and Freelancers
1. Bad Security Practices
Before you hire a freelancer and share anything with them, knowing what not to do can be as important as knowing what to do.
For example, we touch on this below but don’t give your login credentials to a freelancer. Make sure that multiple people within your organization don’t share the same credentials either, because if there is an incident, you won’t know who’s responsible.
Don’t post any sensitive information in chats or workstreams unless you have to provide temporary logins.
2. Categorize Projects by Level of Security
Before you ever share any data with a freelancer, you need to create different security levels and have standardized protocols in place. Then, once you have protocols, you and all of your team members will have a basis for how you share data.
You might break projects into different levels of security designations, for example.
These could include categories like sensitive, confidential, private, and public.
Then, based on the labeling of each project, your team will know the process for sharing within internal teams, over company networks, to remote teams, and freelancers and contractors.
If you have work with exposure to very sensitive data and information, you might consider creating a separation of duties.
When it comes to sharing customer information with freelancers, you have to be even more cautious. Around 70% of all cyberattacks target small businesses, and you need to remember these risks as you’re sharing any customer information with freelancers. Limit what you share as much as you can.
Don’t share personal details of your customers with a freelancer no matter what. In fact, in some parts of the U.S. and the EU, it’s illegal to do so.
3. Don’t Give Out Your Primary Account Information
The biggest thing to remember when working with freelancers is that you shouldn’t give out your credentials or the credentials of anyone who’s high-level in your business. You can grant permission to access systems in other ways. Even if the person requires top-level access, you can still provide that without giving them yours.
If you give away your account information and it’s primary credentials, the system will use it to verify ownership. You’re essentially turning over ownership.
Instead, you should customize the access that each freelancer can have.
Just as you do with your other employees, you need to follow the concept of least privilege access. Be careful that you’re giving freelancers and contractors only what they need to do the job at hand and nothing more.
Some tools allow you to create login details for freelancers and give them specific access to tools and apps. Then, when they finish their work, you can remove them quickly and easily.
4. Hire Freelancers Who Work Using a Secure Connection
Before you hire anyone, you should ask them whether or not they use a secure connection. Of course, you may not be able to verify this, but it’s at least something you should check into. Otherwise, if you’re working with someone who’s using a public Wi-Fi or some other unsecured connection, all of your data is at risk.
5. File Sharing
When sharing files with freelancers, it’s best to have a long-term relationship with them before doing so. If you share anything with them on a free cloud storage platform like Google Drive, make sure to revoke access as soon as they complete their project.
If you’re sharing very sensitive files, you should use a secure file-sharing platform with enterprise-level security such as firewalls, data encryption, and user usage controls.
6. Be Very Careful About WordPress Admin Privileges
Freelancers will often work in your WordPress site, and you should keep in mind that if you give them administrator roles, they can do anything on the site. Ideally, only you should have this role.
If someone is fixing a bug or building a site, they will need Administrator access, but as soon as the person is done, you should restrict their access. You can always reinstate access if they work on something in the future.
If you have a Multisite Network, there’s another access level called Super Admin. You shouldn’t give this to anyone unless you have absolutely no other choice. Super Admins can delete entire sites and they can make changes that will affect the whole network.
7. NDAs and Agreements
Finally, when you work with freelancers and contractors on any basis, before you share anything with them, they should sign a non-disclosure agreement and a data privacy agreement. You shouldn’t ever view the sharing of anything as not important enough for this. Before you even discuss the details of the job, you should have freelancers sign these agreements.
An NDA is a legally binding document where both parties agree to confidentiality for a period of time.
There’s not a lot of opportunities to enforce these, particularly if you have an NDA with someone outside of the U.S., but still, at least you’ll be able to show you made a reasonable effort to protect data.
If you don’t use a data privacy agreement, you might be violating laws in the U.S. and EU, so this is a big one.
See also: Cyberbullying in Social Media
