Herding Cats: Cybersecurity Challenges with a Contractual Workforce
Deploying cybersecurity measures across an independent-minded workforce can be a bit like herding cats. dmarcian Senior Account Specialist Vincent Walstra talks about his experiences with this kind of business structure and the advantages that DMARC can bring.
There are specific types of businesses that face unique challenges when it comes to cybersecurity — those whose workforce is primarily composed of independent contract workers, such as real estate companies and brokerage firms. It can be a bit of a free-for-all when it comes to the IT footprint of their contract workforce, with contractors using their own computers and third-party tools that aren’t controlled or supervised by the employer’s IT department.
These workers also have refined routines and favorite third-party marketing tactics, like personalized newsletters or email campaigns. They carry these with them from company to company as they move through their careers, and these tools become ingrained favorites and relied upon, so change can seem difficult.
They deal with financial instruments and the conveyance of large sums of money, like a deposit for a new home or transferring funds between banking accounts. When you add the time-is-of-the-essence stress of something as hectic as a home closing, the optimal conditions are in place for fraud to occur, especially Business Email Compromise (BEC) via phishing exploits.
I’ve had experience in getting companies like these to reach a DMARC policy of p=reject so no unauthorized senders can abuse that company’s email domain for phishing. Initially the path to reject can seem daunting to these companies because there are so many different authorized entities using their email domains, including a workforce of independent contractors, who are independently minded.
Turn on the lights
One of the helpful aspects of DMARC is the visibility it provides. When first deployed, having a DMARC policy of p=none provides detailed insight on all emails sent on behalf of a domain. This is like turning on a light in a dark room, so you are now able to see who and what is sending email on behalf of your company’s domain. And that goes for parked domains or defensively-purchased domains, decommissioned domains—we refer to all of these as inactive domains.
Because the DMARC policy is set to p=none, email traffic is being observed but not affected, and there is no disruption to the flow of email at this phase. This gives the company time to understand the shape and scope of their email use and to put together a deployment plan without disrupting the flow of business.
Again, when you turn on the DMARC lights, you’ll be able to see the sources sending email via your domain name. Some you’ll know; some you won’t, but this will give you a comprehensive view of everyone sending email via your domain.
The obvious benefits of DMARC compliance include both visibility and security, but the benefits your contract employees will appreciate extend to deliverability. With DMARC in place, marketing efforts benefit from improved
As with any initiative that touches every aspect of a company, instituting DMARC will come with requisite training and education for contract and non-contract employees. You’ll need to develop and set expectations with employees and help them understand the advantages of DMARC and how it will help them further their work and the goals of the company.
Though having a workforce composed of independent-minded agents can seem a bit like herding cats when it comes to security issues, with some coordination and integration, DMARC offers the benefits of domain security, visibility, deliverability and brand trust.
Want to continue the conversation? Head over to the dmarcian Forum