If you are considering hiring a freelancer to save some money on IT support or software development, keep in mind the cost of a data breach is skyrocketing. However, hiring a freelancer can be an attractive option due to the cost effectiveness and flexibility to hire experts with specific skills without needing to add members to your internal organization.
According to recent news, the North Korean government has dispatched thousands of tech-savvy workers to various countries to infiltrate freelance networks, misrepresenting themselves using falsified documents. In one recent incident, the security company KnowBe4 was infiltrated and caught a new employee uploading malware to their internal servers.
These freelancers gain access to sensitive data and systems, potentially inserting vulnerabilities, causing misconfigurations, or even initiating ransomware attacks. Since 2022, the FBI, US Department of State, and US Treasury Department have issued warnings highlighting the risks associated with hiring freelancers. This situation underscores the general risks of freelancers, as they may use privileged access to exploit systems, posing significant security threats to organizations.
It's not that you should never hire freelancers or remote workers for software development. In fact, in 2024, it represents a big strategic advantage for productivity, creativity, lowering the cost of agile feature development, or to just try out some new ideas without breaking the bank. Freelancers offer productivity benefits and can extend the workforce with specialty skill sets according to needs on a per-project basis. When hiring freelancers for software development, it’s crucial to take specific steps to mitigate potential risks.
Follow these best practices to ensure security and project success.
Don't Outsource The Whole Job: Lead developers should ideally always be full time workers, locally sourced and at least hybrid on-site part of the time. Lead developers should be the primary architect for the software application or distributed service architecture you are developing. Once the main framework has been developed using a waterfall development approach, the tasks can be broken down into smaller pieces and outsourced to freelancers
Gradually Work With New Freelancers: Take steps to gradually develop a working relationship with new freelancers. Outsource only small parts of a project to a freelancer at first, before assigning larger tasks. As the freelancers prove themselves, it makes sense to compensate them for their performance in order to retain their services on a regular basis
Check The Freelancer's Reviews: Always review feedback from previous clients to assess the freelancer’s reliability and quality of work. Set a benchmark for your risk appetite such as the number of completed jobs, years of evidenced experience, or lowest acceptable overall rating. Freelancers without experience may be quite valuable, but obviously the level of risk is much higher and this should be reflected in the type of work you assign them
Hire Local Freelancers: Whenever possible, hire freelancers from your local area to facilitate easier communication and potential in-person meetings
Meet For Online Video Chat At A Minimum: Just because you are hiring a freelancer doesn't mean you can't meet in person. However, the reality is that much of the time you won't be able to hire a freelancer who is close by. If meeting in person isn't feasible, at least have an online video meeting before hiring. This ensures better understanding and trust
Ask Them If They Are Doing The Work Themselves: Confirm that the freelancer is not subcontracting your work to others without your knowledge. Some modern freelancing apps allow teams and agency accounts. Hiring a team of freelancers with a good reputation can also ensure that work will be done in-house and not further outsourced
Conduct A Risk Assessment To Determine Which Tasks Can Be Outsourced: Hiring a freelancer for software development can support increased productivity and efficiency of development operations. However, there is clearly a limit where that increased productivity becomes a risk. Conducting a risk assessment and doing trials to determine the reliability of the work produced can help set realistic and safe goals for increasing productivity via freelancing
Verify All Work Submitted: Do not operationalize un-inspected code into production systems. Ensure members of the in-house development team are able to review code before it is implemented. Conducting application security testing such as static and dynamic software analysis can help ensure software that is free from bugs and vulnerabilities.
Employ Strong Access Controls: Do not give credentials to production systems. Ensure proper and strong Identify and Access Management (IAM) access controls are configured for all accounts following the principle of least privilege. Many cloud service accounts such as Google Cloud and Amazon AWS have robust detailed IAM security configurations which can be used to segment resources and limit the access to new staff.
Pay a Reasonable Amount: Last but not least, pay a fair amount for services rendered. Offering fair compensation ensures you attract skilled and reliable freelancers who are less likely to cut corners or compromise on quality
The recent infiltration of freelance networks by North Korean tech workers highlights the critical security risks associated with hiring freelancers for software development. These workers, posing as non-North Korean, use falsified documents to gain access to sensitive systems, potentially inserting vulnerabilities or launching cyberattacks.
To mitigate these risks, it’s essential to follow best practices such as gradually working with new freelancers, thoroughly checking reviews, hiring locals when possible, and employing strong access controls. By taking these precautions, organizations can harness the benefits of freelancers while safeguarding their systems and data.
August 15 - Blog
It's official: Packetlabs is a partner and attendee of Info-Tech LIVE 2024 in Las Vegas. Learn more about event dates and registration today.
August 01 - Blog
This article will delve into the most common techniques attackers use to transition from their initial breach to achieving their end goals: Privilege Escalation.
July 31 - Blog
Did you know? Attack attribution supports cybersecurity by providing contextual awareness for building an effective and efficient cybersecurity program. Learn more in today's blog.