Justin Jon Thorne, co-founder of Hydra
Security awareness is nothing new for banks and other financial organisations. It’s been the primary concern pretty much since the industry began. But in recent years, with the evolution of technology, security management has become more diverse and complicated. Threats come from a great many more quarters and take significantly more forms, meaning that it’s no longer merely a question of protecting a customer’s tangible assets; customer data can be just as valuable and is taken just as seriously. Which is why it seems unlikely that any financial institution would have gaps within its security protocols. But when it comes to legacy access to external SaaS and social media platforms, a great many do.
SaaS platforms and financial organisations
SaaS and social media platforms have become an integral part of almost all contemporary businesses, including banks and other financial organisations. They’re used for marketing, technology, and often for admin, and their management is frequently outsourced. For businesses, it provides a low-cost, highly efficient way to manage a whole range of essential tasks, without the complication and expense of developing and maintaining additional inhouse systems. But it also means an additional source of risk.
Understanding the dangers associated with external platform management
In most cases, social media and SaaS platforms are highly secure. Businesses simply wouldn’t use them if they weren’t. However, their weakness lies in the people who use them. Once you grant access permission to an account user, you are trusting them with your data, your reputation, and sometimes, your funds. And this can lead to significant complications if you are not careful over permissions management. Because while no business will hand out any form of account access without due consideration, many are less rigorous when it comes to removing access permissions when a staff member moves on, or an agency contract ends. And this can expose businesses to a whole range of risks, from the embarrassing to the costly.
When Elon Musk infamously sacked a swathe of Twitter employees last year, one of them leaked the platform’s source code before access permissions were removed – something that could have caused no end of damage to the site. As it turned out, it ultimately only resulted in a few red faces and minor reputational damage. But that’s just one of many ways that legacy access permissions can harm the reputation of a business – as Burger King found when an aggrieved employee used some choice language to describe the brand’s French customers. Although clearly off-brand, the robust Tweet generated endless speculation about the company’s culture and policies.
And the risks don’t stop there. Along with sabotage and reputational damage, there is the potential for espionage and the misappropriation of funds. And they can all be easily managed by anyone with account access. Something that is made all the more concerning by the fact that they can also carry additional repercussions through the breaching of regulatory compliance and GDPR, through the failure to adequately protect customer privacy and client data.
Why aren’t banks doing more to manage legacy access permissions
The problem with legacy access permissions is that in most cases, businesses think that they are protected against disruptive or inappropriate behaviour by their existing security protocols. SSO, PAM and IAM platforms are routinely deployed within most financial businesses, but while they work brilliantly within their stated remit, most companies don’t realise that these platforms aren’t compatible with a whole host of SaaS and social media sites. With each platform having its own unique security conventions, many linking back to personal accounts before access can be granted, they can’t be used with password vaults or similar. And that means that account access permissions are not only very hard to remove, but to monitor. In some cases, where an account has been in use for a number of years, businesses may be totally unaware of all of the people who have retained access. And unless they initiate stringent off-boarding policies and auditing, or adopt a platform that can provide a holistic overview of third-party account access, with a single point of entry for all users, where access permissions can be granted or rescinded quickly and easily, that’s going to continue to be the case. Raising questions not only of security, but compliance and accountability.
Who is responsible when legacy access causes problems?
At a time when accountability is everything, someone always has to carry the blame when things go wrong. But with legacy access, there’s no clear-cut answer as to who that may be. It could be the account manager, the agency, the team leader, or the department head. But it also comes down to the Chief Technical Officer, even if they weren’t in the role when the person causing trouble parted ways with the organisation. Because if you fail to provide the correct tools and the operational practices for managers to oversee all aspects of outsourcing, to take a clear overview of who has access to what and when, you can’t expect the people lower down the food chain to manage those actions for you.
Access permissions for third party and SaaS platform management have never been considered as overly important because they don’t link in to the integral inhouse systems used by banks and other financial institutions, and they can’t access the most important data. But if the wrong person with the wrong permissions decides that they have a grudge to settle, the damage can be legendary, damaging reputation and customer trust while incurring financial losses. And with that being the case, it may be time for financial organisations to start taking third party legacy access a little more seriously.
About the Author: Justin Jon Thorne, co-founder of Hydra, an innovative SaaS platform providing agencies, brands and digital teams effortless monitoring and management of access to external channels. Providing a single access point to – and a complete overview of all access permissions across – the major social channels, analytics platforms, and ad accounts including Google, Meta and LinkedIn – enabling complete monitoring of contemporary and legacy access.
