- The use of third-party workers, including independent contractors and freelancers, creates increased risk for enterprises, according to a study released Tuesday by Tel Aviv-based startup Talon Cyber Security.
- The report showed 9 in 10 third-party workers conducted business using personal, unmanaged devices where organizations have little to no visibility into their activities. The report is based on a survey of 258 third-party workers in the U.S., conducted by Technology Market Insights on behalf of Talon.
- About 45% of respondents are using virtual desktop infrastructure or desktop as a service technologies, which are expensive, provide inconsistent user experiences and are considered risky from a security perspective, according to the report.
The report highlights the risks of securing unmanaged, remote contractors in an enterprise environment. Many organizations depend on contractors and freelance workers to provide important services, but don’t have enough visibility into the technologies they are using or the potential security risks they take when conducting business.
“Typically an organization will grant contractors or freelancers access to the corporate applications and data needed to carry out their job responsibilities on behalf of the organization,” Ohad Bobrov, co-founder and CTO at Talon, said via email. “This could be anything from financial data and applications to marketing platforms and sensitive materials, depending on the nature of work being done.”
An increasing number of organizations are relying on contractors and freelancers for critical business functions amid a shift toward the gig economy, according to research from Forrester.
“You may think of them as an employee, they may have a corporate email address, they may even sit next to you at the office, but they are not employees,” said Alla Valente, senior analyst at Forrester. “These are third-party entities that can become the conduit for cyberattack and expose your organization to undue risk.”
Threat actors have targeted third-party contractors in some high-profile incidents over the past year. In one of the most high-profile attacks, Okta was the victim of a ransomware attack by Lapsus$ after attackers launched a ransomware attack against Okta in January by targeting the laptop of a third-party customer support engineer.
After initially denying the attack, Okta later confirmed 2.5% of its customers were impacted by the data breach. Okta admitted embarrassment after the threat actor posted screen shots two months after the initial attack.