Gary ClavenIn today’s interconnected business landscape, the sharing of access to digital platforms has become commonplace. From ad accounts to CRM tools, from social media dashboards to financial systems, the digital keys to your business are often distributed among employees and external partners. But this convenience comes at a potentially devastating cost.
Consider this: According to the 2021 Verizon Data Breach Investigations Report, 61% of data breaches involved credentials. This staggering statistic underscores a harsh reality – your company’s greatest digital vulnerability may not be sophisticated hackers, but rather the simple mismanagement of access.
As we delve into the risks and best practices of managing digital access, prepare to confront some uncomfortable truths. The digital security of your business may be far more precarious than you realise.
The Risks: A Stark Reality Check
1. Internal Threats: The Enemy Within
While we’d like to trust all our employees implicitly, the numbers tell a different story. The 2020 Ponemon Institute Cost of Insider Threats Global Report revealed that 62% of insider threat incidents were caused by negligent employees or contractors.
a) The Disgruntled Employee Scenario:
It’s not just a hypothetical. A 2020 Forrester study found that 25% of data breaches were caused by internal incidents. When employees have extensive access to sensitive systems, the potential for intentional harm is real and significant.
b) The Unintentional Threat:
According to the same Ponemon Institute report, the average cost of an insider threat incident due to negligence was $307,111. A simple mistake can have catastrophic consequences.
c) The Oversharing Culture:
In a 2019 survey by Symantec, 53% of employees admitted to taking corporate data when leaving a job. This casual attitude towards company information represents a significant risk.
2. External Threats: The Agency Dilemma
Trusting external agencies with your digital assets introduces a new layer of vulnerability. The 2021 Cybersecurity Workforce Study by (ISC)² found that 64% of surveyed organisations reported a shortage of cybersecurity staff. This shortage extends to agencies, potentially leaving your data in under-qualified hands.
a) The Revolving Door Problem:
With the average employee tenure at digital agencies being just 2-3 years according to the Bureau of Labor Statistics, your access credentials could be known by a constantly changing roster of individuals.
b) The Third-Party Risk:
Accenture’s 2021 State of Cybersecurity Resilience report found that 40% of cybersecurity breaches were indirect, coming through the supply chain. Your agency partners represent a significant link in that chain.
What Companies MUST Know
1. The Principle of Least Privilege:
A 2021 Identity Defined Security Alliance (IDSA) study found that 94% of organisations have experienced an identity-related breach at some point. Implementing least privilege access is no longer optional; it’s a necessity.
2. The Power of Audit Trails:
According to IBM’s 2021 Cost of a Data Breach Report, companies that had security AI and automation fully deployed experienced breach costs of $2.90 million, compared to $6.71 million at organisations without these technologies. Automated audit trails are a crucial part of this security infrastructure.
3. The Importance of Off-boarding:
A shocking statistic from OneLogin’s 2017 study revealed that 48% of employees still had access to corporate accounts after leaving their job. This represents a massive, ongoing security risk for many organisations.
4. The Necessity of Robust Agreements:
Beyond just NDAs, comprehensive data protection agreements are crucial. The average cost of a data breach in 2021 was $4.24 million, according to IBM. Proper agreements can help mitigate this risk and provide recourse in case of a breach.
5. The Value of Continuous Education:
According to the 2021 Verizon Data Breach Investigations Report, 85% of breaches involved a human element. Regular, comprehensive security training is your first line of defense.
How to Protect Your Company
1. Implement a Robust Identity and Access Management (IAM) System:
Gartner predicts that, 75% of security failures will result from inadequate management of identities, access, and privileges. A robust IAM system is no longer a luxury, but a necessity.
2. Use Multi-Factor Authentication (MFA):
Microsoft reports that MFA can block 99.9% of automated attacks. If you’re not using MFA, you’re leaving your digital front door wide open.
3. Regularly Review and Update Access Permissions:
A 2021 study by Varonis found that 33% of employees have more access than necessary to do their jobs. Regular access reviews can significantly reduce this risk.
4. Implement Strong Password Policies:
According to the UK’s National Cyber Security Centre, 23.2 million victim accounts worldwide used 123456 as the password. Enforcing strong, unique passwords is crucial.
5. Conduct Regular Security Audits:
The Ponemon Institute’s 2020 report found that companies that conducted regular security audits saved an average of $2.46 million in breach costs compared to those that didn’t.
Data Compliance and GDPR: Your Responsibility Extends Beyond Your Own Data
In the maze of digital access management, there’s another critical factor that many companies overlook: data compliance, particularly with regards to the General Data Protection Regulation (GDPR) and other similar regulations worldwide. It’s not just about protecting your company’s data; you’re also responsible for safeguarding your clients’ data.
The Stakes Are High
The implications of non-compliance are severe. Under GDPR, organisations can face fines of up to €20 million or 4% of their global annual turnover, whichever is higher. These aren’t just theoretical numbers. In 2020, H&M was fined €35.3 million for GDPR violations related to employee data mishandling. When it comes to client data, the stakes are even higher.
Your Clients’ Data is Your Responsibility
When you share access to systems containing client data with employees or third-party agencies, you’re not just risking your own information – you’re potentially exposing your clients to data breaches. This extends your responsibility and liability significantly.
Consider these sobering statistics:
1. According to a 2020 study by Ponemon Institute, only 29% of companies say they are fully compliant with GDPR.
2. The same study found that 47% of organisations experienced a data breach caused by a third party in the past year.
3. DLA Piper’s GDPR Data Breach Survey 2021 reported 281,000 data breach notifications since GDPR came into effect in 2018, with 331 fines issued.
Key Compliance Considerations When Sharing Access
1. Data Processor Agreements:
When sharing access with external agencies or contractors who will process client data on your behalf, you must have a Data Processor Agreement in place. This legally binding document outlines the responsibilities and liabilities of both parties in relation to data processing.
2. Right to be Forgotten:
Under GDPR, individuals have the right to have their personal data erased. When you share access to systems containing client data, you need to ensure that all parties with access can comply with erasure requests promptly.
3. Data Minimisation:
GDPR requires that you only collect and process data that’s necessary for the specific purpose you’ve stated. When granting access, ensure that individuals only have access to the client data they absolutely need.
4. Breach Notification:
GDPR mandates that data breaches must be reported within 72 hours of discovery. When sharing access, you need a clear protocol for breach reporting that all parties understand and can act on quickly.
5. International Data Transfers:
If you’re sharing access with agencies or employees outside the EU, you need to ensure that appropriate safeguards are in place for data transfers. The invalidation of the EU-US Privacy Shield in 2020 has made this even more complex.
Best Practices for GDPR Compliance When Sharing Access
1. Conduct Regular Data Audits:
Know what client data you have, where it’s stored, who has access to it, and why. Regular audits can help you maintain this overview.
2. Implement Access Logs:
Keep detailed logs of who accesses client data and when. This is crucial for both security and compliance reasons.
3. Provide GDPR Training:
Ensure that all employees and third parties with access to client data understand GDPR requirements and their responsibilities.
4. Use Data Pseudonymization and Encryption:
Where possible, pseudonymize or encrypt client data. This can help mitigate the impact of a potential breach.
5. Implement a Data Protection Impact Assessment (DPIA) Process:
Before granting new access or implementing new data processing activities, conduct a DPIA to identify and minimise data protection risks.
Remember, when it comes to GDPR and client data, ignorance is not bliss – it’s a liability. By taking proactive steps to ensure compliance when sharing access, you’re not just protecting your clients’ data; you’re safeguarding your business against potentially crippling fines and reputational damage.
In the digital age, being a responsible custodian of your clients’ data is not just good ethics – it’s good business. As you navigate the complexities of access management, always keep in mind that the data you’re protecting isn’t just numbers and letters – it’s the lifeblood of your clients’ businesses and the personal information of individuals who’ve placed their trust in you. Handle with care.
Conclusion:
The digital landscape is fraught with dangers, many of which stem from the simple act of sharing access. As we’ve seen, the statistics paint a sobering picture of the risks businesses face every day. However, with proper awareness, robust systems, and vigilant practices, these risks can be mitigated.
Remember, in the realm of digital security, complacency is the true enemy. Stay informed, stay vigilant, and above all, treat your digital assets with the same level of security you would your physical ones. In this digital age, they may be worth far more.
Gary Claven
