UtopianKnight Consultancy – James Griffiths

STRATEGIC | TECHNICAL | ADVISORY | AI | DEVELOPMENT | vCTO | CYBER | ICS & OT

, , ,

Polyworking and Shadow IT: Why Gen Z Side‑Gigs Are a Cyber Nightmare

·

by

UtopianKnight

In today’s hyperconnected economy, polyworking the trend of holding multiple concurrent jobs or freelance gigs is gaining momentum, especially among Gen Z professionals. While it signals a cultural shift in how young workers view employment, autonomy, and income generation, it also presents a clear and growing cybersecurity threat to businesses.

From fragmented digital identities to the proliferation of Shadow IT, organisations are now more exposed than ever to lateral phishing, data exfiltration, and supply chain compromise often through their own employees.

🧠 What Is Polyworking?

Polyworking refers to the practice of working multiple jobs simultaneously, often across different sectors and roles. Unlike traditional moonlighting, polyworkers are often deeply embedded in their multiple roles typically remote or hybrid and may even use the same devices, cloud accounts, and tools to manage them.

This trend is accelerating for several reasons:

  • Gen Z’s approach to work prioritises flexibility, financial freedom, and passion projects over loyalty to one employer.
  • The gig economy and remote work culture make juggling multiple roles technically feasible.
  • Rising cost of living pressures many workers to diversify income streams.

While polyworking may suit the individual, for organisations it can open the door to unintentional insider threats and a host of other cyber risks.

💣 Why It’s a Cybersecurity Time Bomb

1. Fragmented Digital Identity

When individuals work for multiple employers simultaneously, their digital identities become fragmented across systems, platforms, and domains.

A single Gen Z employee might:

  • Use personal email for one contract, corporate email for another.
  • Authenticate via social logins (e.g., Google, LinkedIn) across multiple tools.
  • Use password reuse or shared credentials for convenience.
  • Maintain multiple Slack, Teams, or GitHub accounts with overlapping permissions.

This fragmentation blurs the line between personal and professional spheres, making it extremely difficult for security teams to track:

  • Where data is going
  • Who has access to what
  • When credentials are being misused

It becomes nearly impossible to build a reliable user risk profile when digital identities are scattered and self-managed.

2. Rise of Shadow IT

Polyworking fuels the growth of Shadow IT systems, software, or apps used within organisations without official approval.

A polyworking employee might:

  • Use unauthorised tools (e.g., productivity apps, AI coding assistants) they’ve used in other jobs.
  • Spin up cloud infrastructure (e.g., AWS, Notion, ChatGPT, Trello) that’s invisible to IT.
  • Save work data on personal Google Drives or iCloud storage.

This leaves security teams blind to entire attack surfaces, bypassing DLP, firewalls, CASBs, and endpoint management.

Even worse, when an employee offboards or forgets a login, abandoned data silos become ripe for exposure or breach.

3. Lateral Phishing and Cross‑Platform Threats

One of the most dangerous byproducts of polyworking is lateral phishing. Here’s how it works:

  1. An attacker gains access to a polyworker’s credentials via a breached or weakly protected platform.
  2. Using that access, they pivot laterally jumping from one employer’s environment to another.
  3. Because the victim is a trusted party in both environments, phishing messages, malware, or malicious file shares are more likely to succeed.

Imagine a marketing contractor who works for three companies. If their Google Workspace account is compromised, attackers could:

  • Send phishing emails from a “trusted” source.
  • Share malicious documents via shared drives.
  • Impersonate the contractor on Slack or Teams.

This new attack vector blurs the concept of a “trusted user” and renders traditional identity perimeter controls ineffective.

4. Data Leakage Between Clients or Employers

Without clear policies or robust monitoring, polyworkers may accidentally (or intentionally) transfer sensitive data between jobs.

Examples include:

  • Reusing slide decks or templates that contain embedded metadata.
  • Copy-pasting code snippets across client projects.
  • Taking insights, pricing models, or strategy docs from one company to another.
  • Using one device for multiple jobs making it easy to sync the wrong folder.

This kind of cross-contamination can breach NDAs, IP laws, and compliance obligations like GDPR, ISO 27001, and HIPAA.

5. Endpoint Sprawl and BYOD Exposure

Polyworkers often rely on their own laptops, phones, and tablets for multiple roles. This exacerbates the Bring Your Own Device (BYOD) challenge.

Why it’s dangerous:

  • No centralised patching or updates systems may run outdated OS or software.
  • No EDR or DLP installed exfiltration or malware detection is missed.
  • Multiple employers’ tools running concurrently increasing the attack surface.
  • Remote workers are harder to audit or secure physically.

IT teams cannot secure what they don’t manage. And in the case of polyworking, they may not even know it’s happening.

🧩 The Role of Corporate Culture and Oversight

Many organisations unintentionally foster polyworking by:

  • Offering contract roles with little oversight.
  • Failing to implement workforce identity governance.
  • Neglecting remote worker audits or endpoint health checks.
  • Skipping exit interviews and offboarding procedures for temporary staff.

In some cases, especially in startups or agencies, employers even encourage side-gigs as a sign of hustle or ambition.

But without adequate policies, it opens the door to conflict of interest, credential sprawl, and compliance violations.

🔒 10 Mitigations to Manage Polyworking Cyber Risk

Organisations can’t always control how employees manage their lives but they can implement strong controls and governance. Here are 10 mitigation steps:

  1. Update Contracts and Policies
    • Include clauses on exclusive work, disclosure of side-jobs, and data handling expectations.
  2. Mandatory Security Awareness Training
    • Focus on risks of dual employment, lateral phishing, and data segregation.
  3. Identity Governance and Administration (IGA)
    • Use tools to detect identity overlap across cloud platforms and enforce SSO.
  4. Cloud Access Security Brokers (CASBs)
    • Identify and manage Shadow IT by scanning for unsanctioned SaaS use.
  5. Zero Trust Network Access (ZTNA)
    • Enforce device posture checks, time-based access, and strict identity verification.
  6. Endpoint Detection and Response (EDR)
    • Monitor for unusual activity across devices, especially BYOD endpoints.
  7. Strict Offboarding and Role Expiry Controls
    • Auto-expire access for temp staff and conduct exit audits for device and data handover.
  8. Restrict Use of Personal Storage Platforms
    • Block Dropbox, Google Drive, etc. unless sanctioned and monitored.
  9. Enforce Data Classification and DLP Rules
    • Tag sensitive data and alert on unauthorised transfer or duplication.
  10. Regular Risk Assessments and Insider Threat Analysis
  • Don’t just focus on external actors review user behaviour and access logs frequently.

🏁 Conclusion: The CISO’s Dilemma

For CISOs, CTOs, and IT Directors, polyworking is the latest frontier in insider threat management. It’s not inherently malicious in fact, most polyworkers are simply trying to survive or thrive in a fast-changing economy.

But when side-gigs go unchecked, organisations face very real risks: compromised credentials, data leakage, reputational damage, and regulatory breaches.

By acknowledging the reality of polyworking and implementing practical mitigations, businesses can balance workforce flexibility with operational resilience and avoid becoming the next cautionary tale.

Have you considered how many of your employees are polyworking and what tools they’re using to do it? It’s time to ask the uncomfortable questions before the attackers do.