Cybersecurity has become an issue of paramount importance for businesses. But while most enterprise-level organisations are already in control of the primary cybersecurity threats – phishing, malware, ransomware, inside threats, password protection, training, and unsecured networks – one key area is largely overlooked: Third-party access to external social channels and ad accounts.
Opening the door to reputational damage, espionage, sabotage, and the misappropriation of funds, poor access permission management can potentially cause irrevocable harm to enterprises. Even those with SSO, PAM and IAM platforms in place. So, what’s the problem with legacy and third-party access? Why isn’t it being taken seriously? And what can brands do to improve their access permissions protocols?
Why most enterprises overlook the hidden cybersecurity risk of SaaS platform management
In enterprise-level business, cybersecurity is pretty much a given. Every element is considered, so many will snort at the idea that any kind of hole has been left. However, with SaaS and third-party platform management, it’s easy to overlook something as basic as access management, and there are a number of reasons for this.
Firstly, there is the over-reliance on SSO, PAM, and IAM platforms. Enterprises feel that these platforms deliver almost all-encompassing protection, which leads to a sense of complacency because while SSO and the others work well, they have limitations, making them incompatible with certain platforms. This can lead to oversights when it comes to the management of incompatible platforms or limited functionality. There’s also the concern of poor integration of SSO, PAM, and IAM platforms with existing enterprise architecture. For example, identity and risk management can be compromised if the solution does not integrate with threat monitoring solutions.
Then, you have the problem of the sheer volume of external channels, and SaaS platforms the average enterprise uses. When it is so difficult to keep track of each individual’s set of logins for each platform, it can be hard to withdraw permission and monitor legacy access. This matters because it can engender real risk for the business.
The risk of legacy account access
Legacy account access can expose a business to a range of threats should the wrong person be permitted to retain access to accounts – even something as basic as being able to continue to post social media ads can be damaging.
Reputational damage is easy to inflict if you can access a brand’s social media accounts. Ex-employees or staff from terminated agencies can pick any number of inflammatory topics – sexism, racism, the trans debate – and carefully craft a post that holds a touch of authenticity. Having worked with the brand, having access to their pitch deck, and understanding their tone and language use, it’s no stretch to create something that sounds genuine while lacing through commentary that is very off-brand. Even when the language is so entirely off-brand as to be offensive, it can still be enough to raise public speculation regarding its authenticity, as was seen with Burger King’s infamous tweet relating to the French and baguettes.
And then you have the issues of espionage – as we saw when a fired Twitter employee released the platform’s source code – and sabotage, where inappropriate access can lead to information theft or service disruption. And with brands placing significant amounts of funds in advertising accounts, the misappropriation of those funds is easily done.
Who is to blame when a cybersecurity event occurs?
Of course, when a cybersecurity event does occur, it inevitably raises the question of accountability. Who gets fired, and who gets fined? Who can you take action against? The person who posted the content may be out of reach unless you seek legal action. But what about the person who granted that employee access and failed to rescind it? What about the manager in charge of day-to-day security protocols? Or the CTO for failing to cover all bases? When a cybersecurity event occurs, it puts everyone in the frame, causing bad feeling, distrust, and a sense of guilt that can lead to resentment and, frequently the loss of talent, creating far-reaching fall-out. Containing the threat before it causes problems is a far simpler approach.
How enterprise can address the cybersecurity threats carried by external platform access
Access permissions management is difficult simply because there are so many different platforms and login types involved, and many of them force people to use their personal profiles to access ad accounts and pages rather than IT-controlled systems and password vaults. Working with a platform that can provide a clear overview of all of your access permissions and a single point of access to all of your external and SaaS platforms is the only real way for enterprises to stay in control of access.
Third-party and SaaS platforms are viewed as posing less of a cyber threat to businesses. You can’t often access the same degree of customer data or sensitive materials through them as you can a business’ primary operational tech infrastructure. But just because they pose a lesser threat doesn’t mean they can’t be highly damaging. There are a lot of enterprises out there that need to do more to protect themselves.
About the Author: Justin Jon Thorne, co-founder of Hydra, an innovative SaaS platform providing agencies, brands and digital teams effortless monitoring and management of access to external channels. Providing a single access point to – and a complete overview of all access permissions across – the major social channels, analytics platforms, and ad accounts including Google, Meta and LinkedIn – enabling complete monitoring of contemporary and legacy access.
