In a recent webcast with Bitwarden, Bjoern Sjut, security expert and founder of Finc3 Marketing Group, detailed 6 cybersecurity guidelines he recommends when working with 3rd-party agencies and freelancers. What follows is a partial summary of that webcast.
Unmanaged user access can make it difficult to understand who has access to what. If a business only has control over internal employee access and not freelancer access, it doesn't paint the whole picture. He goes on to recommend adding freelancers to your existing identity management solution so they have their own account on your business’ domain. This can enable you to implement additional layers of security on these accounts, for example, requiring 2FA.
“Let's say you are working with an agency and that agency needs Google Adwords access, you would want to control that through the managed identities. We do not want to [assume] they are keeping their own personal account secure.”
Once a freelancer or agency is provided with their own account on an identity management platform, the next step would be to require sign-in with that account. When explaining this concept, Bjoern Sjut used Asana, the task management software, as an example.
“ …sometimes these tools [Asana] give you the ability to actually enforce sign-in via Google or Microsoft account. That's really helpful from a security perspective because then we don't need to rely on the other parties keeping their passwords secure.”
This step forces external agencies or freelancers to access company resources only through managed accounts.
“Password managers are super important for us,” says Sjut, “but we always try to avoid sharing passwords.” He continues to say that he prefers to create named accounts for freelancers wherever possible so that passwords do not need to be shared among colleagues. When they do share passwords, however, Finc3 Marketing Group does it within the Bitwarden password manager and groups these passwords within shared collections.
“I think a big advantage of [sharing passwords in Bitwarden] is you can also keep track of who has access to what. It’s much much harder if you don't have a password manager and you have someone say ‘hey, can you give me the password for this?’ and then people hand it over through, worst case, email, SMS, or WhatsApp and it's just not in any way documented. So that’s, for us, a really really high priority.”
One challenge to working with freelancers is the inability to manage the devices used to access company resources. With this in mind, Sjut recommends utilizing a Bring Your Own Device (BYOD) policy alongside remote device management.
“The device needs to meet certain standards, for example, device encryption and certain security and unlocking standards and if we can't completely manage a device that is owned by the freelancer… we want to make sure a device is completely compliant before it can access resources from the company.”
Finc3 manages these security policies through a 3rd-party device management solution. In addition to device-specific security policies, Sjut recommends utilizing a device management solution to manage specific apps downloaded on the device that may contain corporate data.
“If you are living in the Office 365 world, you can also treat certain apps, like PowerPoint, Word, OneDrive, and SharePoint as company apps and manage the information on the device. You can basically wipe company data inside these apps, even if you don't control the whole device.”
If your company’s freelancers and agencies use mobile devices to access company data, Sjut advises requiring them to do so through a work profile such as Android for Work. A work profile is managed by an organization's IT department and is used to separate work affiliated apps and data on a mobile device from personal apps and data. According to Sjut,
“...this is super important if you develop mobile apps for your specific work…. You don't need to force people to sideload these onto the device and activate developer mode. It allows us to do that through a specific app store and push it to the user securely so they don't have to compromise or risk the device by unlocking that developer mode.”
Implementing precise processes when a freelancer joins or leaves a company is crucial for strong cybersecurity. While many password, device, and identity management solutions offer automatic account provisioning and de-provisioning, some processes are still manual.
When offboarding, “you want to review with the employee or the freelancer which accounts they had access to, whether through shared folders, collections, or named accounts so that these can be removed.” says Sjut. He also recommends adopting a board or kanban solution — for example, Asana.
“Having onboarding and offboarding process management allows us to have at least this feeling that nothing falls through the cracks.”
Want to learn more about securing your company’s 3rd-party agencies and freelancers? Watch the 30-minute webcast and learn other methods for mitigating security risks and keeping your sensitive information secure when working with 3rd-parties.