Cybersecurity is a challenge for organizations of all structures and workers of all types. In today’s highly connected world, managing security is akin to rolling a boulder up a mountain — and that’s when everyone works in-house and uses devices that conform to a strict set of security standards. In the gig economy, Sisyphus pushes 55 million boulders up that same mountain.
According to the Bureau of Labor, 36% of all workers now participate in the gig economy. These figures wouldn’t be possible without the technology that enables it, usually a smartphone and unlimited mobile data. At the same time, the DIY-method of work also means that workers are stuck with figuring out their own cybersecurity on their own devices. Then, there’s the use of casual labor. Employers aren’t necessarily onboarding freelancers and contractors with the same rigor they use for full-time, in-house workers.
Given that the vast majority of cyberattacks come from human error and malicious insiders, companies have a lot to be worried about — even if they don’t know it yet. And you could be one of them.
BYOD Offers Its Own Challenges
The ubiquity of smartphones and the growth of responsive websites and mobile web usage means that companies can rely on workers’ personal devices rather than issuing one to them. Organizations like what the savings do for their bottom line and workers like the flexibility. But the bring-your-own-device (BYOD) movement also presents some serious challenges for cybersecurity both for in-house staff and especially for gig workers.
Theft and loss are two big problems for companies with BYOD policies. Unlike a work-issued phone, a gig worker’s personal device travels with them to work, home, school, the bar, the bathroom, and literally everywhere else they go. If a device goes missing and the worker hasn’t encrypted their phone (an uncommon step on personal iOS and Android devices), then whoever finds it can find their way into the device owner’s clients’ systems and data.
Some traditional employers use drastic measures to secure personal devices used on a BYOD policy. For example, employees of the state of Delaware who use their own devices consent to remote wipe, which allows the state’s IT department to wipe their device if it goes missing or if the user violates a security policy.
At the same time, asking gig economy workers to consent to this would be far more complicated because they by-and-large exclusively use their devices with no other alternative. In a scenario where they aren’t employees, remote wipe also looks a lot like employer overreach.
When Delaware implemented its policy, far fewer people chose to use the BYOD option, which indicates the popularity of these measures in regards to personal devices.
Systems Aren’t Ready for BYOI
The BYOD explosion already presents a well-known challenge for corporate cybersecurity teams. But the gig economy also presents serious challenges for identity and access management (IAM) systems. Employers using traditional systems manage only a limited number of employees known to the company; they cater to tens of thousands of people using corporate accounts within a closed network and enjoying the security of a firewall. They don’t work for hundreds of thousands of people signing up on their own networks and devices.
In the gig economy, freelancers and contractors use their personal accounts to create their identities in what’s being dubbed a bring-your-own-identity (BYOI) movement. Managing these accounts is more complex than handling HR-created identities from behind the company’s firewall and using internal directories to authenticate users. The vulnerabilities are almost endless, and you need a dedicated vulnerability expert to tackle this one issue alone. In this way contractor data looks more like customer data, and systems aren’t designed to cope.
Some of the implications are even more complicated by the use of personal devices and open networks. A freelancer using their BYOI on an unsecured device in a Starbucks presents real trouble for any company. And this doesn’t even consider the potential that the freelancer is using their device to access systems among other clients, who could well be competitors.
Gig Worker Identities Are at Risk, Too
There’s a huge emphasis on corporate IT security in the gig economy, but few corporate blogs touch on what could be an even bigger disaster: individual security and identity theft.
According to research, the tech platforms used to connect gig workers not only put the cost of security at the feet of the individual worker, but they sometimes add features that almost guarantee their workers are less secure. Not only do most companies fail to provide the same cybersecurity training to gig workers, but they use apps to collect private information, like driver’s license numbers, Social Security numbers, and more. Traditionally, the same information would be collected by accountants or HR teams, who are prone to attack but at least have the benefit of operating behind the company firewall and ideally with some form of cybersecurity training (or in-house IT staff).
What’s worse, scammers know this. Uber and Lyft drivers are increasingly common phishing targets because the use of assumed knowledge on behalf of the rideshare apps combined with vulnerabilities in phones leaves them more vulnerable. Flustered workers are more likely to hand over credentials to avoid being locked out of their accounts and their source of income.
In other words, by passing the buck onto the people with the least power, companies like Uber are making both workers and themselves less safe.
The gig economy presents serious challenges to the way people work, the way they save, and the already complicated issue of cybersecurity. What happens next will be determined by the way employers respond to the challenge: will they rise up to the occasion, or will they shift the blame onto those who aren’t their employees? Either way, we’re in for an interesting ride.
The original version of this article was first published on Future of Work.