Interviews, insight & analysis on digital media & marketing

Agencies and accountability: do you have permission?

By Justin Jon Thorne, co-founder of Hydra

If you’ve ever worked in a marketing or tech services agency, you’ll inevitably have a story about how you were still able to access some high-profile client’s data years after they left your books. Whether it was analytics, ads, social channels, or all three, you would have been able to dip into them at will… Not that you ever would, of course. You’re too ethical for that. But you could have if you’d wanted. And while it’s a good conversation starter at the pub, it does raise the question of agency accountability. 

Agencies are in a position of trust. They have access to accounts, data, and funds, all of which can be abused. And while businesses should, perhaps, take more precautions to ensure that all account access is rescinded once a contract has reached its end, it’s not always easy to do that completely, and there’s an argument to be made that agencies have their own part to play in that process. 

Agencies and the problem of digital access permission 

If you run an agency of any kind, you are likely already aware of the risk that comes from poor management of digital permissions. The reputation of your business relies upon your ability to keep your client’s data safe, so if you fail to properly manage the digital permissions of your clients you not only risk sensitive data breaches, espionage, sabotage, and theft for them, but reputational damage for both you and the client. So, it stands to reason that if one of your staff members leaks an ex-client’s data, or posts something entirely inappropriate on their social media pages, that your agency must be held at least partially accountable for having failed to ensure a clean hand over and removal of permissions. 

Why the management of digital permissions has become such an issue

The difficulty with digital permissions is that there are so many external channels, social and ad platforms now in use and they all have different login protocols. So, it’s not only challenging to keep track of each different login, it can be hard to withdraw permission and keep track of legacy access. While some accounts can be used with a password vault, others, such as Facebook, require each user to login via their personal account, which can make it extremely difficult for businesses to manage. 

Added to that, there is the over-reliance on SSO, PAM and IAM platforms. While they have an important role to play in digital security, and do their jobs extremely well, they can create a sense of complacency because it’s not always clear that they have limitations, including incompatibility with certain platforms. Meaning that any business solely reliant on SSO or any of the others may find themselves unpleasantly unstuck. 

How digital access permissions can be more easily managed

The better management of digital permissions is a concern for both brands and agencies. While businesses have their own housekeeping to put in order, they should be able to trust the agencies they work with. Even after the business relationship has ended. This means that the handover process at the termination of a contract period must be watertight. And while most agencies do have an agreed handover process, it’s easy to overlook individual access to specific accounts when such a diversity of platforms and logins are deployed. 

Until recently, there has been no easy way to get around this. But a platform that provides a single point of entry to all applications for users, and a simple management overview of all permitted users for the account owner, can work to reduce the risk. This can be applied by the business outsourcing the work, enabling them to cleanly cut off access to users once an agency contract has been terminated. But it can be used equally well by the agency taking responsibility for a client’s third-party platforms, not only allowing for a clean handover process, but ensuring that they cannot be held accountable for any future security breaches. 

Who is accountable when security events occur?

When it comes down to it, businesses must be their own masters. But the role agencies play in protecting their clients is also integral. By working to remove legacy access from employees when a client moves on, agencies are not only protecting their clients, but protecting their own business and their own reputation. And initiating a process which ensures that no member of staff – current or previous – retains legacy access to client accounts has to be a core priority. 

There are so many digital security issues to focus on at the moment, cyber attacks are increasing, and businesses of all types are doing everything they can to keep their data and customers protected. Legacy access needs to be a part of that focus. And it is the responsibility of both businesses and the agencies they work with to ensure that that is the case.