Security training and freelancers

We’ve all been there. The request pops up in your work inbox – complete your cybersecurity awareness course now. You put it off for a few days, but ultimately, if you’re an employee of a company then you have to get round to the task; you go through the training during your work hours and it doesn’t make that much difference to your day.

If you’re a freelancer however, it’s a different story. The request slides into your emails from several different clients. One of them promises it’ll take ‘only’ 40 minutes to complete the training, while another suggests you should set aside a full hour. 

But most companies don’t offer to pay for that hour – and for freelancers, an hour of unpaid work that doesn’t directly contribute to the project they’re working on for that client is a big deal. 

Mandatory unpaid security training can be a problem for freelancers 

Large organisations often work with numerous freelancers at the same time – brought in to cover everything from graphic design and copywriting, to consultancy and HR. Those freelancers are often expected to complete mandatory security training, and are sent requests to do so in the same way as payrolled employees. 

But unlike employees, freelancers aren’t paid for the time they have to spend on that training. This poses a problem for the freelancer, who has to either request an hourly rate to cover the training time; do the training for free; or just not do the training at all. 

And often, that last option is the easiest path to take. 

This means it’s a problem for your organisation too

If you’re giving network access to freelancers who aren’t engaging with your cybersecurity training, then you’re creating vulnerabilities in your organisation. 

It might be that those freelancers are already highly informed and understand cybersecurity best practices. But it’s equally possible that they have only a basic understanding of security, and won’t follow good security hygiene when they’re interacting with your network. 

This means that asking freelancers to do unpaid cybersecurity training becomes, in itself, a vulnerability that many organisations overlook. 

What’s the solution? 

Communication is key. 

Make sure the people involved in hiring freelancers in your organisation know exactly which mandatory courses they’ll be asked to complete. And ask them to include those courses in hiring conversations. 

If security training requirements are clear from the offset, then freelancers can factor training time into their cost estimates and invoice accordingly. It’s a grey area, and many companies expect freelancers to engage with their training for free – but that (often unspoken) expectation leaves you open to the potential that you’ll be working with a pool of freelancers who expose your network to unnecessary risk. 

From a compliance perspective, it’s also your responsibility as an organisation to ensure that all team members (including freelancers) who are asked to handle sensitive data meet any relevant regulatory requirements before they do so. You need to ensure that everyone who should complete mandatory training does so. 

So our advice is to be upfront and pay an hourly rate for freelancers to do your training. It’s a small price to pay for increased security, and it’ll help position you as an enterprise that values freelancers and knows how to work with them. 

Register now to attend Back Hat MEA 2024 and immerse yourself in learning directly from the leading experts in cybersecurity.