Many companies work with freelancers, consultants, and contractors. It’s a great way to fill resource and skill gaps on a temporary basis or cover roles that don’t need a full-time employee. However, balancing effective collaboration with data security can be challenging.
When working with freelancers, you often trust them with access to your core IT systems and sensitive data, but they don’t fit within the usual security policies in place for your staff. This poses an additional risk that needs to be managed. At the same time, you don’t want them working outside the way the rest of the team collaborates, as this can hinder productivity and the value you get from them.
The good news is that Microsoft 365 provides a range of options to support your flexible team, allowing you to collaborate internally and externally in the way that suits you best.
Establishing Policies:
First things first: Not having a policy in place for working and collaborating with external consultants can lead to losing control over your data or becoming vulnerable to cyber-attacks. Restricting external access to select people is crucial so it’s not given by anyone without oversight. Also, consider what happens to the data once it’s shared—can they download it, delete it, edit it, send it to others, etc.? Additionally, giving access to your core business systems to unmanaged and unsecured devices opens these systems to cybersecurity risks.
Taking all of that into consideration, we have outlined some of the options available for you when using Microsoft 365, and the pros and cons of each:
Treat Them Like Normal Employees
One way to manage external contractors is to treat them like any other employee. This often means providing a company laptop or PC that complies with the company’s security policies and has security services and controls. This protects against unsecured devices accessing core systems.
You set them up with a company Microsoft account, giving them an email and setting up their access and permissions to data just like any employee—restricting it to what they need, with select permissions. This can be costly, as it means buying a device for the contractor, paying for security services, and a full Microsoft 365 license. However, it eliminates the need for a separate policy for consultants, as they fall within your internal policy. You can also create a separate security group for consultants to easily restrict their access.
Share Select Folders/Files:
Within SharePoint, you can share select folders with external people, but this needs to be managed carefully. The best option is to block this as standard, so no one gives access without an authorisation check. Then, ensure that ‘guests’ are set up in the Microsoft tenancy with an internal approval process. This means approved email accounts, or even email domains, can be shared with and added to your Microsoft environment without issue. It’s best to set this per site, rather than at the top level in SharePoint.
Consider the permissions within these folders as well, as you may want to restrict what these guests can do with the data—potentially restricting their ability to download. This requires your SharePoint sites to be set up in a specific way, with a good site structure, clear admin restrictions, and an approval process. This may not solve the issue of a consultant using an unsecured device, which doesn’t comply with your security policy, creating a risk.
Browser Only:
Another option is to set the contractors up as normal employees, giving them a Microsoft 365 license within your tenancy and carefully restricting access to what they need (preferably through a security group). Then, to remove the risk of your data ‘touching’ an unsecured device, you can prevent them from downloading, opening on desktop apps, or editing files anywhere except through the browser. This means the data never ‘touches’ their device; they simply access it through the browser within your secure Microsoft tenancy. This is done by creating a security group and setting a conditional access control.
The main consideration here is that a license is still needed, albeit a cheaper one, and many people don’t want to use Microsoft apps within the browser due to editing limitations.
Make It Their Responsibility to Comply:
With Microsoft Business Premium and other Enterprise licensing, you can set up Compliance Policies with Conditional Access controls. In non-technical terms, this means setting certain security rules that devices accessing your data in Microsoft 365 need to comply with before access is granted. For example, you can enforce that the device is encrypted, kept up to date, and has a complex password policy. This way, you make it the contractor’s responsibility to comply with your device security policies, even if you can’t control them yourself.
You can then give them access and permissions as you would for any internal employee, restricting it to only what they need, preferably through a defined security group. This can add a layer of difficulty when getting contractors to work for you, and some may not want to or be able to comply.
Encrypt the Data and Enforce Authorisation:
Data Leakage Prevention is another option within Microsoft 365 to secure emails and files when sharing them, preventing accidental and unauthorised ‘leakage’ of data. You can create groups and set tags that you apply to certain files, folders, and emails that require authentication before access is granted. For example, creating a group called ‘internal’ and adding that tag to a file ensures that even if it’s accidentally sent to someone outside the approved group, they will need to authenticate (through their Microsoft account) before accessing it, which they wouldn’t be able to.
You can create security groups with external guests. This means that even if files are downloaded, no one who hasn’t been preauthorised within this group would be able to access them, keeping them encrypted. This method focuses more on preventing sensitive data from getting into the wrong hands than protecting against the cyber risk of unsecured devices and is more file-specific rather than setting top-level permissions and access controls.
Managing Mobile Phones:
Nowadays, people access emails and files not only on laptops or desktops but also on mobile devices. This creates cybersecurity and data security risks, as consultants often use personal mobile phones instead of company-provided ones.
Microsoft has a solution for this in Business Premium and Enterprise licensing, called Mobile Device Management. This allows you to control only the business data on a personal mobile, setting security controls over business apps like Outlook and SharePoint/OneDrive. You can prevent files from being copied outside of these apps, keep the data encrypted, and remotely wipe the apps and data—all without touching or accessing any other parts of the person’s mobile.
You can also set compliance policies, forcing the consultant’s mobile phone to meet certain security standards before it can have these apps and data on it—such as being updated and having a PIN or facial recognition. This requires the consultant to trust you and allow an app to be installed on their phone, which some may be hesitant about. However, there is a clear disclaimer stating exactly what the employer can and cannot do.
We hope this guide has provided you with some helpful tips when looking to collaborate effectively with external consultants. When shaping your internal policy, consider the key factors discussed. If you would like any additional guidance, feel free to connect with us at Sereno. Our expertise spans over 50 different Microsoft environments, enabling us to optimise subscriptions, uphold security best practices, and tailor solutions to your unique business requirements.
