About Georg Dauterman:
Georg believes in the fusion of technology and creativity. With a background in both fields, he started his career in IT departments of publishing and advertising agencies, realizing the critical need for tech aligned with business goals. Joining Valiant in 2004, Georg’s expertise and passion for efficiency brought industry recognition. He holds a history degree from Queens College and serves on Datto’s Global Partner Advisory Board. Beyond his leadership role, Georg enjoys exploring culinary skills, fitness, and outdoor adventures with his family.
About Megan Quick:
Megan is a member of the Valiant Marketing & Sales team, assisting in demonstrating the value of our services and ensuring positive experiences for prospective clients. When not working with technology, she is a theater production manager and performer, producing her own comedy shows, and is an avid writer. Megan has a B.A. in Theater from Sewanee: The University of The South.
What you’ll learn about in this episode:
- How to manage contractors with the same IT security rigor as full-time employees.
- Three essential IT onboarding steps, including defining role-based tech profiles, applying the concept of least privilege, and documenting contract timelines.
- How strong NDAs and predefined access permissions reduce legal risk and prevent contractors from holding sensitive work or data hostage.
- Why issuing company-controlled devices or virtual desktops strengthens cybersecurity and simplifies offboarding.
- How undocumented systems and generic logins create vulnerability, and how extending internal security policies to third parties mitigates risk.
- Why close coordination between HR and IT with a firm access end date is the most critical step in secure contractor offboarding.
- How a small investment in upfront IT planning can prevent major security, compliance, and operational issues down the road.
Transcript:
Megan Quick:
Hello and welcome again to The Creative Stack episode two. This is a show about the intersection of creativity and information technology. I am your host, Megan Quick, and I am joined as always by my talented co-host and the president of Valiant Technology, Georg Dauterman. Hi, Georg.
Georg Dauterman:
Hey, Megan. How are you doing today?
Megan Quick:
I'm pretty good. It's a Monday in January, but I'm happy to be here. I'm excited about this. So this week, our episode is going to center on maintaining security when working with contractors. I know we wanted to do this topic because it affects a lot of the folks we work with. So let's just dive right in. I've got some questions for you, Georg. As always, would love to hear your expertise on this topic. Now, as an MSP and the owner of an MSP, how often have you helped clients handle contractors? And I know I kind of gave it away, but is it a common thing with our clients?
Georg Dauterman:
Yeah, absolutely. It's probably one of the most common questions we get. How do we work with contractors? What's the process? What does it look like? Does it vary state by state? It depends on where you are located. It depends on what kind of work they're doing. Are they hired for a very simple pitch that gets you over the line, or are they something somewhat fully integrated into your team for a period of time or doing a special project? There's so many variables in it, but as MSP, we want to handle them similarly to how you handle full-time employees, but with the little extra twist of understanding how they integrate into your organization and how to best keep the level of security and confidentiality intact while there are people that may not be directly in the organization.
Megan Quick:
Exactly. Yeah. And it can feel overwhelming when you know there are people you've worked with and you're like, oh, I hope we did everything we needed to do once the contract ended.
Georg Dauterman:
Right.
Megan Quick:
Overall, do you feel that in advertising and marketing, that folks are hiring more and more contractors in the last few years?
Georg Dauterman:
I don't think it's any more or less than it's ever been. I feel like that it's, across all industries actually, it's been more prevalent, especially with people hiring folks overseas, contract workers, virtual assistants, all sorts of different industries that never had freelancers or contract employees working in there. So I don't think it's any more or less. Actually, sometimes I feel that some of the larger agencies have less freelance workers because they're concerned with some labor laws that might be impacting, so that could have an impact on it. And even then, we want to be able to help them by not letting the technology make them violate any rules or laws.
Megan Quick:
And those are ever-changing. I feel like it's been very tumultuous.
Georg Dauterman:
Yeah. I'm not a lawyer. I don't even play one on TV. Check your local laws and speak with your attorney and counsel, but there's definitely some rules around the way freelancers or contract employees are hired and work, where they operate out of. So it gets really tricky, and you want to have a basic policy and procedures for how you manage them because you're going to hire them. Every company has. I think I can honestly say that almost 0% of our customers don't have some kind of contract employees somewhere. And it could be someone as simple as someone doing your bookkeeping for you that's an outsourced bookkeeper, and we should treat them maybe not the same as a full-time employee, but we want to give them a level of rigor and scrutiny beyond just giving them keys to the kingdom.
Megan Quick:
Yeah. Yeah. Because I think we've all heard the cautionary tales about that going wrong, especially. And it's a small town.
Georg Dauterman:
It's the world's largest fishing village.
Megan Quick:
That's so true. So I guess from an IT perspective, and I love lists and I think our listeners could hook into this, what are the first three things a company should do when starting their contract with a freelancer from an IT perspective?
Georg Dauterman:
So in general, but particularly from an IT perspective, you want to have a really clearly defined role for the person. If they're just doing basic work undirected without any level of direction, you could get in trouble with both them being just almost not under the rules of how contractors should work. Usually contractors want to have a dedicated deliverable. They work on their own equipment. They don't have set hours. They don't have a set location. Their management is based on results versus time. So you really want to really understand what their real role is. And are you hiring a freelance person? Are you hiring a freelance company? If they're a person or a company, do you have a set of standards you want them to follow day in, day out around information security, like a computer spec? I'll give you one that comes up all the time. Do you give the person, a freelancer, a company email address?
Megan Quick:
I was about to ask you, truly.
Georg Dauterman:
It's such a challenging question that we ask-
Megan Quick:
And it's more complicated than people think. Yeah.
Georg Dauterman:
It's interesting because it's one of those things that looks simple on the surface, but when you really dive down to it it's like, well, if you give someone a company email address, they're working as an agent of your company and they're representing you in a marketplace and they're out in the world. And how do you control that? How do you control what... And how do you build controls for access to data? How do you know what email distribution lists they're supposed to be on? Do they get company all staff emails? There's so many variables. There's so many little nuanced questions. But I think top level, the three things you really want to... This is going to go back to your questions. I can easily riff for way too long. It's something I think about and I think our customers think about it quite a bit, but I think you should think about what is it clearly defined that the person's doing for the company?
Have that really clearly defined and link the desired result to a technological profile. If they say they're a freelance creative who's being brought in to build a specific deck for a pitch, that's pretty clear. I know why they're there. Hey, they're going to do this deck. They're going to help us flesh out the strategy. They may even be part of the pitch delivery team and then that's it, they'll move on. Where it gets really fuzzy is the person who's going to work on a long-term project. Do I provide them with a company machine? Which is a question we'll talk about later, that's a whole different kettle of fish, but you want to know what they're going to work on, how they're going to work on it.
You're going to want to think how much access to company information do we want them to have? And then at the end, you just want to be really clear of how long are they going to be working with you? And it's really important to communicate that to whoever is your IT service provider and your HR folks, and maybe even your accounting team, because I've seen where folks get paid for a lot longer than they work where they're freelancers and they're submitting bills or they just keep getting paid or they're on a contract. I think it requires more scrutiny and management than I think folks give it.
Megan Quick:
Yeah.
Georg Dauterman:
But really define the edges of what you want from them, determine what technology you need to deliver and determine what access they need to deliver the work. And they should have just enough access to do the work they're supposed to do. There's a concept in IT information security called least privilege. It's the idea that you give people only the access they need to do the job they're supposed to do. And the more access they have they don't need, the more potential for data loss, unauthorized access or just disclosure. A freelance contract worker working on a social media project for you doesn't need access to payroll data, but a lot of times we see in folks that don't have an InfoSec plan in place, they don't really even know what people have access to. So we want to be mindful of that when we start working with freelancers.
Megan Quick:
And I mean, sort of a broader view, I know when you and I chat with people, they're often like, I don't know what we have. I don't know where it is. And that's always one of the pillars of IT security. It's like, first, let's figure out what is going on, then we can figure out how.
Georg Dauterman:
The inventory is your critical tool.
Megan Quick:
It's dry and clear.
Georg Dauterman:
Everyone wants the sexy part of it, but the reality is a lot of it's blocking and tackling and boring. It's just, who's the last person who had this machine and how are we going to ship that out to this person? And what happened to it when it came back? That sort of thing.
Megan Quick:
Yeah, yeah. Well, actually, near the end of that question or answering it, you kind of anticipate this next question, but what are the risks? What are the biggest risks when hiring contractors? And I guess part of it is what can they see? What do they have access to?
Georg Dauterman:
Well, that's where it starts. You want to make sure that you have a sort of clearly defined hard edge of their access and knowing what they can and can't work on. I mean, the fear always with contract employees is that there's a lot less controls or sort of recourse than you would have an employee. You want to have really clear non-disclosure agreements in place. That's actually one of the most critical things you can do with employees, same thing with contract workers. Like I said, I'm not a lawyer. And really what you want to do is, besides the sort of administrative control of a non-disclosure agreement, you want to make sure that you have a defined freelancer or contract worker profile so that they just don't have access to what they don't need.
The other risk is that depending on where they're doing their work and how they're doing the work, that they can hold your work hostage. So that sort of gets a risky... Obviously, most contract works are going to be pay on results or pay to play. So you want to have that really clearly defined almost in a contract. You'd be surprised, or maybe not surprised, you've been doing this a long time with me, Megan, people who don't have edges on these sort of things where you just don't know and then people get stuck like, well, I don't know if I can get this stuff from this person and do you guys have access to that person's computer? And we're like, that's not a company computer. That's [inaudible 00:13:05] and we just gave them an email address and now you're going to have to go deal with this.
Megan Quick:
Yeah. I was about to say, we've seen a lot of versions of this, which is how we've developed a lot of these thoughts.
Georg Dauterman:
Yeah. A lot of this is that unfortunately the classic, it couldn't happen to me mindset, but it can happen pretty easily.
Megan Quick:
Not if but when.
Georg Dauterman:
Not if but when, but I think with the contractors, the other piece of it is that you really want to know that they're going to deliver the thing. And I think the most important thing is putting in for your own sanity the technical controls that you need so that you can get the work that's guaranteed. When people have where it's like, it could be in payment schedules, it could be in a bunch of different things, but I mean, really work with them on it. And the other thing is really be consistent. Don't have a different set of rules for different people. We find that's another problem is that they're like, oh, this is so-and-so's friend, which is always a dangerous thing, and they have access to this, and they can do all these things, but they're not really employees. It's worth asking the question of, well, what do they have access to? What can they work on? What do I want them to work on? And how to downside that risk, how do you make it lower?
Megan Quick:
Yeah, how to mitigate it and make sure it's under your control, what they can access, when they can access all of those things, which leads to the next question. You've touched on this and I'm interested in... You've touched on the workstation question, do you provide them a company workstation? Do they use their own? I guess I was thinking of should they provide them at all? But what do you think are the situations where you're like, no, make sure they're working on your company's computer versus, you know what? This is okay or we can manage this.
Georg Dauterman:
Great question. And my recommendation is almost always to provide them, depending on unless that they're doing a singular project for you that doesn't have any kind of privileged data. Let's say they're doing, I don't even know what this would be, but let's say they're working on something that was like a graphic design project or something that didn't have any sensitive data, but if they're working on any sensitive or your customer data or any of your internal privilege information, I would strongly recommend them either having a company laptop that you provided for them with tools, with the full package of security that you would provide any employee, or I would look at something like a virtual desktop where they could log in remotely and 100% control their environment and access that environment so that you know what they're working on and when they're working on it.
Not that you don't trust them. It's not that trust, it's more that it protects both you and the contractor because let's say something happened. Easy example, they have their own personal laptop, you have a dispute with them, you say there's work for hire on there, that's mine. You really don't have a lot to stand on to prove it. If it's a company laptop, you're like, okay, shoot me back my laptop. Or if it's a virtual desktop, it exists in that environment. So we highly recommend that for just about everybody, unless if it's someone like doing something that's very directly build this, deliver this, move on. But anyone that I think is working, especially working for you in a longer term relationship, you should provide them equipment because I think it's just safer for them, safer for you.
Megan Quick:
Yeah. Yeah. I think it keeps the boundaries clear. When they're clear, then the next steps are always a lot easier as well if things end poorly or if they end well.
Georg Dauterman:
If they end well, it's a matter of shipping a laptop back or shutting off access. And I think that most companies don't... They want to save the costs, but the potential downside cost is so much higher if it goes off the rails. You could spend a lot of money trying to recover data or recovering information and never getting the work you paid for. And not to mention that you don't know what their setup is like. They could sign off on it, but are you willing to bet your store at the farm on them doing the right "right thing"?
Megan Quick:
Or even trying to do the right thing.
Georg Dauterman:
Right. So think about any company, I know companies we work with or many other MSPs for that matter, people spend hundreds of thousands of dollars a year on security and IT infrastructure and to have a $30 an hour contractor basically pierce that doesn't make a lot of sense. Stop for a second and think about it. And I understand the cost, people who want to contain costs and I 100% agree with that. I always have to say I own a business too.
Megan Quick:
Yeah. No, you get it.
Georg Dauterman:
But the downside, the upside is X and the downside is infinite and that's the problem is that if there is a breach or a situation and the contractor's working under your auspices, you're still responsible to your customers and to your people. So let's say I hire, I'll give you example in real life where we had a customer have a freelance HR benefits consultant start emailing the company's census in plain text, not encrypted. And a company census is such a pretty delicate piece of information that's like everyone's home address, their social security number, their age, their personal contacts. And it was actually used in an attack against the company because there was a freelancer involved in it. You really want to be mindful who has access to information like that. So I think that's one of the biggest challenges is that you have to create an environment where these people can work safely when they're not employees.
Megan Quick:
And still get their job. That's always sort of the puzzle. If we could lock everything down.
Georg Dauterman:
If everything's locked in Fort Knox and no one can access it.
Megan Quick:
No one ever does anything. It's great.
Georg Dauterman:
They work with it. Right, exactly. But there's always that delicate balance of access and convenience against security and best practices. And you have to find sort of the balance of what you can live with and what you're comfortable with and what unique needs your company has. I'll give an example, if you're working with specific companies, they may have you sign contracts about contractors having access to data and they may prevent you from hiring contractors. You've really got to think about this. This is a really delicate topic, I think, more so than people realize.
Megan Quick:
I know and people want it to be easy and it's like, yes, it can be easy, but there's a lot of work, there's foundational work to put in to make it a simpler process. And you were, again, kind of touching on it, but I know we talk a lot about policies and creating policies, and of course there's the step of creating policies and then actually putting them into practice. And I probably know the answer, but should special IT policies be created for contractors? Should companies do that? And what are the biggest things to include in these policies?
Georg Dauterman:
I don't know if they should be special. There should be components of all their policies that include outside parties that you may want to hire at given times. Almost every company hires outside folks, be it from IT services to bookkeeping, HR, marketing, and you want to make sure that your policies and your strategy includes them. I think what happens is a lot of policies tend to be very focused on like, we're going to have a password policy and we're not going to share data that we're not supposed to. People want to oversimplify it or make it a little more boilerplate, but you need to really think about who's going to have... If you step back for a second and think about it more from a perspective of like, well, what do I need to do my job? What risks do I have if something happens to this data and what can I do to balance security and convenience and access and giving people the ability to do their job really well?
And I think that not having special policies, but by having your policies include this from the start. We see it a lot where a lot of contracts will say like, you're extending this level of security or policies to all your third parties. And so what that does is it puts a lot of the due diligence on the company to validate this. So it gets tricky because who's asking the questions? I hire someone to do some creative for me. Did I ask them, do they have antivirus or EDR and they keep up to date with the latest security patches and when's the last time the machine was updated? When's the last time you changed your password? So it gets a little tricky and you just want to be sort of like, what can you enforce? What's reasonable? And just make it easy for everyone involved, as easy as you can without making it onerous.
So sort of like a roundabout just really stop for a second and spend a bit of time on what's the most important piece of information or processes and how everyone in the organization, freelancers or full-time employees or whatever are going to be able to use it.
Megan Quick:
Yeah. And I like that answer too. I mean, sometimes I feel bad because I feel like people talk to us and I'm like, oh my God, I have so much homework to do about all this stuff. And I like the idea of like, no, you probably need to create policies anyway if you have a company and you don't have to necessarily write a whole other book for freelancers, you just need to include the language that it is extended to who you work with.
Georg Dauterman:
Correct.
Megan Quick:
I think it makes sense and it's a little easier than maybe someone was, if they were worried about this, it's fixable. Yeah.
Georg Dauterman:
And I think it's easier to enforce it when it's all your environment, be it your machine, be it your cloud services, be it your servers or whatever it may be. Where it gets a little trickier, I think, is when you are having people outside those environments do work for you. That's where you need to really kind of stop and just pause for a second and determine how are you going to ask the question, how are you going to enforce it? How are you going to maintain it? In many larger organizations, this is like a full-time job, this is third party vendor management. It's really tricky and the smaller the organization the trickier it gets. We help people with it, but it's something that it's hard.
Megan Quick:
Yeah. It's a whole other headache.
Georg Dauterman:
Well, it's unfortunately not something that generates revenue for a business. It's sort of a cost of doing business that's hard where everyone's always looking for efficiencies and this is a place where you have to find the balance of the efficiency versus your risk protection.
Megan Quick:
Exactly. And I hope this question applies, you're speaking about them either being immersed in your environment or working outside of the environment and obviously that's harder to secure. What specific platforms are most vulnerable when you work with a contractor?
Georg Dauterman:
The platforms that are most vulnerable is the one that you don't have documented nor secured. It's when you set up the person... Perfect example is, and we've seen this time and again, the classic, oh, we hired this freelancer, we sent them with a Google account and we gave them our standard setup. Now a standard setup may have access to all sorts of information that they don't belong. And I think one of the biggest challenges, especially for agencies particularly, is that they are very information sharing. They want people to have access when they need it, they don't want to hide things.
I need to see all the data, I need to see all the creative, I need to see all the briefs, I need to see all the strategy. Unfortunately, a lot of folks don't set up any kind of structure around it where I have access to client A that I'm working on, but I'm not set up in a way that prevents me from seeing client B, C, D, E, F, up to Z. And if I'm not working on that account, I shouldn't have access to this other data. So I think really what it comes down to is the most vulnerable platform is the one that you have not spent the time to build a structure for access control and one that you don't... Well, I'll step back for a second. One thing we see a lot is that people want to use generic logins for contractors like freelance one or intern two or whatever it is. They use the same names over again. Problem with that is we don't know who that person is. You give them credentials, you have no recourse.
Now it could be anybody, any time. That account could be compromised, someone could be running around inside your environment. We have no idea who that is. So we highly strongly recommend not doing that. So the platform that's most vulnerable is the one you don't have documented, the one you don't have any kind of structure around, and one that you don't set up individual logins with accountability and auditing for. Modern cloud platforms are really good about this. We can set up auditing, we can set up location where people can log in, you can log in from the United States or you can log in from the UK, whatever it is. We can enforce multifactor authentication. We can do all sorts of things. Generic login is our enemy in this case. That's where I think people get jammed.
Megan Quick:
And again, it's the simplest thing that can end up really creating a huge vulnerability for your environment. And it's like, yes, you want to be simple, you get an intern every summer, you want to be able to just get them going. And I think what you were saying about it's the platform you haven't secured or you haven't kind of done the basics that you should be doing with. You and I work with a lot of companies that have grown a lot in the last few years, or they're about to grow. And they are often in a moment where they go, wait, we have to look at what we've built. Did we build it correctly? And it's interesting to me because the stuff we talked about even in our first episode I feel like relates to this. It's like build a stronger foundation as you get to give yourself a more mature stance and a more protected stance.
Georg Dauterman:
I think a lot of this is that unfortunately a lot of these, not always that it wasn't set up professionally, but a lot of the environments were set up organically, expediently. And we see it a lot in agencies where it started out as two people on a great idea, and unfortunately they sort of hit this wall where they need professional help. But it's like anything else, that's sort of like this cost goes up quite high in that first pass because you have to do a lot of upfront work to get it to be set up correctly. Or correctly is the wrong word. I shouldn't use the word correctly. More like best practices.
Megan Quick:
Yeah. And I like when you said organically because the reality is with any business, but creative businesses especially, it's like, yeah, you kind of have to grow as the opportunities come and it's never perfect. And sometimes it takes going back and restructuring to move forward with more peace of mind.
Georg Dauterman:
Right. There's no good time to do it. And part of it is, what are your needs? What do your client base look like? There's a hundred different options and there's a lot of variables in it. And really what it comes down to is you get to decide, like all entrepreneurs or all business leadership, you have to really decide what is your level of risk tolerance, what your needs are, and is this getting in the way of you delivering what you have to deliver to your customers? I mean, take the risk side of it out because I think most entrepreneurs live at risk on a day in day out basis in a way that most people would be uncomfortable with. But really it was like, is this now hindering your growth? Are you not able to sign contracts? Are you uncomfortable in saying, yes, we do that? That's where you start getting the part like, hey, this is time to really start getting deeper into this or asking the questions like, well, what can we do better?
Megan Quick:
Absolutely. We're about to end on I think your favorite question. I anticipated it being your favorite question given how much we love this topic in general. How can you securely onboard and offboard a contractor?
Georg Dauterman:
That's a great question.
Megan Quick:
Thank you.
Georg Dauterman:
I love it. I think this is where the upfront work really comes into play. You create a special contractor onboarding, offboarding profile. You develop what their job role and responsibilities are, which are either your HR or IT services or both. Actually, you should coordinate both of them together. One of the things we see I think is one of the biggest mistakes is that HR and IT tend to work at, I would say odds, but they're not integrated into each other. I think working with some automation around onboarding and offboarding is really important. And probably the single most important thing you do is put a date on when the person is no longer working with the company. One of the things we see is this sort of like, oh, that person's a freelancer, he left here six months ago. But it's like, you know they had access to your business for the entire time.
Megan Quick:
Yeah, we've seen that.
Georg Dauterman:
More than once.
Megan Quick:
A lot, yeah.
Georg Dauterman:
Yeah. It's sort of like our upfront work could save you thousands of hours of downstream risk despite really defining the process for the onboarding, offboarding. And you can do it securely and just define it, write it out. It's actually amazing to me after all these years how many people don't have a written anything for this and they sort of go by the seat of their pants. And I understand move face and, I get it.
Megan Quick:
Move fast, break things, yeah.
Georg Dauterman:
Break stuff. But this is one that you probably should do a bit upfront work.
Megan Quick:
Well, also I love what you just said and I feel like it helped me. I've obviously been working with you for a long time, but I'm like, it helped my brain click where it's like one hour of upfront risk. It saves you infinite hours for later.
Georg Dauterman:
It's unbelievable.
Megan Quick:
I feel like that's what I want to leave our listeners with right now.
Georg Dauterman:
So if you have one actionable thing from this podcast, listen to this. Look at your organization, see who is in there, who's potentially a freelancer or a contract employee or contract company who has access to your data and think about how they interact with your systems and your data. And I would highly recommend, ask your IT provider like, hey, can you help me with this? Or ask your HR provider. And that might be helpful as well how you operate with your contractors because I think it could really save you a lot of headache down the line. Also, it just makes you sleep better at night, which is really important.
Megan Quick:
Yeah. You know things are taken care of. You know you've done the best that you can do and you've taken the steps you need to take. Yeah. I mean, I love where we ended there, Georg. Is there any last words you want to give to contractors in general?
Georg Dauterman:
I think contract staff are one of the greatest helpers in this to achieve its goals. I think that to treat them as second class citizens is a mistake because they can really be force multiplied in your business, especially when you need them. And I think they deserve a bit of the attention that you would give any employee because you want to see them succeed. The last thing you want is to spend time, effort, money, just resources on someone because they're supposed to be a "contractor" and they should do it themselves when you could get the best outcome together with them. So as I said, bit of upfront work can yield a huge outcome down the road.
Megan Quick:
And then you want to work with good people over and over again, make the experience good for everybody. Yeah, that's so great. Okay. Well, we can leave it there. Georg, I was so happy to chat with you for our second episode. We're really chugging along and thank you so much for joining me today and I can't wait to talk to you again.
Georg Dauterman:
I know. We have some good ones coming up down the pike.
Megan Quick:
We do. And maybe some special guests. I don't know. Oh.
Georg Dauterman:
We'll find out.
Megan Quick:
We'll find out. We don't want to give it away. All right. Thank you, Georg. So good chatting with you today.
Georg Dauterman:
Bye now.
Megan Quick:
Bye. Thank you so much for listening to The Creative Stack. If you enjoyed the episode, please rate, review, and subscribe to us wherever you get your podcasts. The Creative Stack is created by Valiant Technology, a managed IT service provider based in New York that specializes in providing creative agencies and PR firms with the technology they need to achieve their goals. Please visit us at thevaliantway.com to learn more about our services. I'll see you next time.
Tags:
Mar 3, 2026