720-891-1663
Whatever the name, you are the present and the future. You work independently-from home, a co-working space or a client's office. You are not an employee with benefits, but you are not beholden to a boss, either. You find your own clients (or they find you). You are assigned contracts or gigs, and then it's your responsibility to make it happen...on budget and on time.
This freedom comes with responsibilities, though--one of which you may not have considered before. Not only are you responsible for managing your projects and meeting the terms and conditions of your contracts, but you are also responsible for something that is very far-reaching and significant.
It is this: You have access to your client's IT environment and you are responsible for not infecting that environment with malware or other problems that may originate from your own IT environment. You may say "wait, I don't have access to my client's IT environment" -- but you do. It may be as simple as sending rich text emails or sharing Word documents or spreadsheets or you may be able to log onto web assets belonging to your client. You may even have direct access to your client's network, but even if you don't have this last one, you most likely have at least one of the first two. Therefore, you can compromise your client's world. This is becoming increasingly important because more and more companies must comply with new privacy and cybersecurity regulations such as:
This means they must control access to their networks and only allow access to vendors and contractors who can PROVE that they have good cybersecurity practices. What, then, does this mean for you and your business?
Typically, your IT infrastructure consists of your laptop, tablet, phone, printer, router and any external hard drives you have. It also includes any number of cloud services such as Gmail, Google Drive, Office 365, Amazon Web Services, Dropbox and a host of others. The good news is that you do not have a lot of IT infrastructure you must police and protect as compared to the average company. But you can't go to sleep on this issue. Something to be aware of, for instance, is that cloud service providers are responsible for their infrastructure, but you are responsible for configuring that infrastructure correctly.
Something else to keep in mind as far as attracting new business: If you proactively show how your security is tight, that it is top-of-mind then you will have a competitive advantage over the vast majority of your competition.
The following is a list of 15 things every smart independent contractor must do to protect their own IT infrastructure and prove their security posture to prospective clients. Some of these you will already be familiar with; others, not so much. But they are all critically important (even if you've heard some of them over and over).
Backups. You need lots of them, and they need to be frequent. Good backups are your ultimate business continuity plan. A "full-metal backup" (your files, operating system, applications), that's best. But even if it's just all your work files, worst case is you buy a new machine and you are back in business. Be aware that if all of your backups are online, they too, can be corrupted, encrypted by ransomware or overwritten. Offline backups are safest, and two or three generations are even better. Think about what it will do to your business if you lose all of your data.
Self-training. Since you do not work for a company that is responsible for your training, you must take on that responsibility. If you think that you do not need training, then you are not yet assuming your responsibilities in this regard.
Patching. All operating systems and applications (another word for software) on ALL of your hardware devices (laptop, phone, tablet, external hard drives) must be patched and kept up-to-date at all times. This includes applications you have installed but not used.
Secure methods of communication. You must be prepared to use encrypted email, phone calls, and texting with clients. For email, we recommend the free version of Proton Mail and for secure texting and voice calls, we recommend Signal.
Software developers. Many gig workers are also software developers. You have software supply chain issues to deal with. You are your own compliance officer. You need to be able to demonstrate to clients that your software development process is secure. At the minimum level, you should document that you test for the OWASP top 10. At a higher level, you can document that you have a secure software development lifecycle (SSDLC). We can help you with this…see below.
Web site security. Many gig workers have their own web sites. You are responsible for web site security. Here are some website security tips:
Public WIFI. It should be your business policy not to allow any of your IT infrastructure to ever touch a public WIFI access point. Public WIFI is an open door into your machine and your data. Here are some great pieces by Mitch Tanenbaum* on this subject:
Most People Will Connect to a Public WIFI If It's Free* Mitch, CyberCecurity, LLC Partner and Technical Director, writes one of the most popular (and readable) cybersecurity blogs in the world. In fact, whenever you are doing research for any cybersecurity topic, one of the first places you will want to go is Mitch's blog. He's been writing about a variety of topics for years, and it's highly likely you will find some great content. (Please feel free to use it as long as you attribute the content to him and provide a link to us.)
Network separation. Ideally, your business IT infrastructure should be kept totally separate from your family's IT infrastructure. But if you MUST share your IT infrastructure with your family, then separate your work network from any family networks. You have much less control over what infected web sites your family visits than you do yourself, and if their devices (including iPhones, for instance) get infected, they can easily attack your work computers.
Harden your network. There are various settings and configurations that must be made on your IT devices and security applications, such as firewalls, operating systems, and anti-virus and malware applications. Whether you do it yourself or hire IT support to do it, it must be done and documented. And maintained!
IoT devices. Do not allow IoT devices like Amazon Alexa or security cameras to have access to your business IT infrastructure. If you are serious about your business, then protect its IT infrastructure. In general, the security of IoT devices is similar to the security of PCs about 10 years ago.
Delete data when finished. Your business policy should be to delete all historical or non-active client data when it is no longer required. An alternative business policy is to archive it securely offline, preferably encrypted.
External, encrypted hard drives. Identify all sensitive customer, client, and other data and store it on an external, encrypted hard drive or flash drive like Apricorn. Remember not to leave this hard drive connected to your main laptop or other computing device when not in use. Also, having multiple copies of such hard drives is an excellent practice...hard drives and flash drives tend to fail at the worst times.
Power protection. This is a simple thing, but often overlooked. If you don't have good surge protection-- or even better yet a UPS (uninterruptable power source), you are vulnerable to having your equipment fried. And you don't need a direct strike on your area. If your power goes off and on multiple times in a short time frame, all kinds of bad things can happen to your equipment. It is much less expensive to replace a UPS that gave its life for your computer than to replace the computer.
Strong passwords and multi-factor authentication. It's amazing we still have to talk about this. Use strong password phrases. MywifeNancymake$thebe$t$alad$!!!1. That is the type of very strong password phrase that can be remembered. Multi-factor authentication is a process where you use a second (or more) factor to log in to, for example, a web site. The first factor is usually a password and the second factor might be a 6 digit number sent to you each time you log in, via the phone or a text message. All banks now make two-factor authentication available and even most social media platforms offer it. Are you using it? Do you care if someone hacks your bank password and empties out your bank account?
Anti-virus and anti-malware. While it will not protect you against all badness, it does help, and it is very inexpensive. However, it must be updated regularly and, if it is a paid product, you must renew the subscription. Do not go for the cheapest solution. Read the reviews and go for the best one.
After you have completed the list of 15 must-do items listed above and think you are in pretty good shape, you are ready for a third-party risk assessment. That is when a company such as ours does a cyber risk assessment on your IT infrastructure. This can be done remotely and costs $2,000-$3,000. It comes with a letter and report from us that certifies to certain realities re: the security of your IT infrastructure and procedures.
It is becoming more common for corporate clients to request such an assessment and report as a condition of their gig contracts. This is especially true if you have access to the client's sensitive data or if the client is part of a regulated industry. More and more, it is simply a basic legal requirement to do business--as in Colorado under its new privacy law or if your client does business in Europe and must comply with GDPR.
One more important ingredient in your gig business infrastructure is professional cybersecurity and IT support. You need to have vetted cybersecurity and IT support services set up and ready to respond to any support you might need on an hourly basis. Why? Because you never know when you will need help, but when you do, it will most likely fall under the category of "ASAP!"
CyberCecurity, LLC is a small, full-service cybersecurity firm that provides cybersecurity for gig workers. We can fully cover your cybersecurity needs and can help you with vetted IT support companies that can handle IT matters that we don't deal with. Our hourly rate is $250.00. Here is a link to what people are saying about us.
The last thing to consider is cyber risk insurance. This is different than general liability insurance or professional liability insurance. This is a non-regulated insurance product, so you must review what your broker is offering you very carefully (we can help). Otherwise, if you have a problem, you may be writing checks for tens of thousands of dollars. If that is OK, don't bother with the insurance.
For small businesses with less than 20 employees, please check out our very affordable Business Cybersecurity Certification Program.
If you have an engagement with a larger firm, odds are they are having cybersecurity challenges. We can help them, as well. Please feel free to introduce us.
Please let us know if we can be of assistance.
Ray Hutchins, Managing Partner
CyberCecurity, LLC
303-997-5506
303-887-5864
FOR WRITERS: We feel certain that you will benefit from this information. If you'd like to take this info and create your own article, please feel free to do so--as long as you attribute to us and link to our web site. Also, please ping us if you'd like to publish this piece.