Hiring remote contractors is a great way to expand the capacity and capabilities of your business. However, many businesses are rightfully concerned with the security risks in exposing their data, website or IT infrastructure to contractors. Understanding the work being performed, isolating it as a standardized business unit, and implementing it as such can go a long way towards mitigating risk and building trust with your remote contractors.
First off, make sure your personal computer and network are secure. This can be a detailed process, one that I laid out in a previous post entitled Securing Your Home Network - it's a good basic primer to lay the groundwork for your security plan.
Passwords are designed to be associated with unique user IDs. If you’re granting a remote worker access to a system, don’t use a shared password. Create a unique user ID and password for any systems you are granting them access to - that way, you'll be able to tell who accessed various systems with a minimum of confusion.
Sensitive Internal Data
Never give remote contractors access to sensitive internal financial data (bank statements, tax returns, payroll, employee records, etc) - unless such data part of their role with your organization. In that case, make sure you have them sign a non-disclosure agreement (or NDA) to protect your sensitive information. If your VPN allows access to your entire network, then you’ll either want to find an alternative way to bring remote workers into the fold --like a project specific code repository-- or change the access schema of your VPN.
Sensitive Customer Data
Depending on the project, you may be inclined to transmit or allow access to sensitive customer data. Don’t. For example, you’ve hired a remote contractor to write a database adapter that will merge customer data from two systems. The remote contractor may need you to provide copies of the databases you are merging. Instead, provide two dummy databases with the correct tables and formatting, but populated with placeholder data instead of your actual customer data.
Scope of Work
It’s important that your remote workers understand your business, so don’t keep them in the dark. However, there may be certain bits of information that can remain on a “need to know” basis. Break down the work in to tangible, definable tasks - it not only avoids confusion, but it can prevent someone from "spilling the beans" on trade secrets or proprietary technologies.
Version control systems like Git can greatly enhance the efficiency of coding projects. Depending on the nature of the project, granting access to the code repository may or may not be wise, however, the advantage is that you will know exactly who made changes/when, and that all editing is done in a non-destructive way. For more, stay tuned for a future post dedicated to code repositories.
The day may regrettably come, when you have to terminate a remote worker. In case you do, it’s smart to have an exit strategy from the beginning. Keep track of all the systems and data you grant users access to, and be prepared to restrict that access upon ending your working relationship with them. Similar to parting ways with an in-house employee, shutting down access to internal systems means you're playing it safe - so you won't be sorry later.