Information security: The implications for contractors
As a contractor or freelancer in the so called “gig economy”, your security responsibilities…
As a contractor or freelancer in the so called “gig economy”, your security responsibilities are almost twofold when it comes to information security and protecting your data.
While working in an office environment offers workers a good level of ‘always-on’ security – achieved through IT security policies, IT support and security systems such as managed firewall – for freelancers and contractors, this level of support or security preparedness is something that needs to be self-imposed.
This, however, can be somewhat challenging. On one hand, you want to protect your own information and ensure that any technology, software or services you use to do your job, are secure, available and uninterrupted. On the other hand, you also want to be sure that you don’t cause any sort of security breach for your client. If you have access to their network, or if you are simply exchanging emails about a project, you don’t want that to be the vector through which an information security breach occurs.
So if you’re a freelancer or contractor, how can you secure yourself and, in turn, avoid putting your clients at risk? Aura Information Security, a cyber security consultancy that is part of Kordia New Zealand, recommends the same approach needs to be taken by all workers, regardless of whether they work from home or in an office – that is, approaching your device/online service use with a ‘security mindset’.
Here, Aura Information Security shares its top tips on adopting a security mindset for freelancers and contractors.
Adopting a ‘security mindset’
This has nothing to do with security software, but it is perhaps one of the key ways you can look after your own work needs, as well as those of your clients. Having a security mindset is about front-footing information security before it becomes an issue.
Here’s just some of the ways you can do this:
1. Keep up-to-date on the threats and tactics used by attackers:
Online threats evolve at a rapid pace with cybercriminals coming up with new attack techniques on a near weekly basis. CERT NZ monitors the latest attack methods and threats facing New Zealand businesses and individuals and provides regular updates. Sign up to receive live updates on their website: https://www.cert.govt.nz/businesses-and-individuals/ or follow them on Twitter @CERT_NZ.
2. Update your software regularly:
It’s important to ensure that software on all devices has the latest updates installed. This applies to everything you use in the execution of your work (laptop, smartphone, tablet, home PC etc.).
3. Follow password best-practice:
Ensuring your devices are password protected is crucial, especially if you’re working with sensitive content across a number of different clients.
Choose wisely: These days, it is length, not complexity, which makes a good password. Try to choose longer words that aren’t predictable or easy to guess.
Don’t reuse passwords.
Use two-factor authentication if it is available.
Never disclose your password or credentials.
Another option, if you’ve got more passwords than you can shake a stick at, is to use a password manager. A good password manager, which is essentially a vault that stores all your passwords in one place and is protected by a master password, will help to make the task setting strong, different passwords for multiple accounts far easier. These password managers rely on you setting a very strong master password, so Aura recommends using a ‘passphrase’ as this master password – that is, a sequence of four or five words. There are lots of password manager options out there, ranging from online solutions such as 1Password or LastPass, to the more technical solutions such as KeePass. Most solutions provide mobile apps as well, so you can manage your passwords on your iOS or Android devices too.
4. Send confidential information securely
Where confidential information is concerned, basic rules apply whether it is digital information or hard copy. Treat it like you would your own private data. Breaches can occur through carelessness and you have a duty of care when dealing with confidential information.
Smartphones and applications are a particular area of concern in relation to this. Many of these tap into information stored on your phone, like your contact details, GPS details, and emails.
Fortunately, there are options to improve email security. Most of them involve password protecting the file and sending the password through a separate channel.
• Word and Excel have password protection built in – file, save as, tools, general options.
• 7 Zip (available via Activate) creates password protected files that can be opened by most people.
The most secure channel to provide the password is voice, however, there are other acceptable options, including:
• Privnote is a web service that creates self-destructing URLs that can be used to exchange information.
• Sending the password via SMS. This has some risk, as frequently the email and SMS are on the same device.
5. Be aware of your clients’ security measures
While being aware of your own security is important, it’s also important to be aware of the security measures that clients you work with have in place. If their systems are subpar, it could cause a security-related issue for you. That might be disruptive, if for example, malware gets on your machine, or it could cause potential losses, if for example, a keylogger is installed via a Trojan that has come in through an insecure network.
While there is little you can do in terms of beefing up your client’s security, you can ensure your own protection through proactive and robust security awareness.
Article supplied by Aura Information Security.