At Pensar, we've written a lot about getting secure for your clients. We even built a checklist to help marketing agencies win in bid processs with a solid cyber security strategy. This time, however, we thought we'd play devils advocate and look at the other side of the coin. Should agencies make clients do cyber security training?More often that not, when a cyber attack or data breach hits a business, there's a domino effect where an entire network is affected:
- 70 percent of all attacks (where the motive is known) have a secondary victim, according to Verizon and;
- 63 percent of all data breaches are linked (directly or indirectly) to third party access, Soha Systems found.
When you look at the stats, it's worth thinking about partner-to-partner cyber security and security along your supply chain - which includes vendors, service providers and clients.
Client security risks
While there's articles all over the web urging companies to watch suppliers and services, there's little advice for marketing agencies around risks their clients pose. But in reality, it's all the same thing.
Marketing agencies - especially digital agencies - often share huge amounts of valuable, sensitive information with clients on a daily basis. You're handing over lots of customer data and intellectual property, not to mention contracts and billing information. If you use open book project management, you might even give clients direct access to your sensitive data.
But in August this year, the BBC reported more than two thirds of UK business directors aren't trained to respond to cyber attacks. In the 2017 CyberEdge global report, 90 percent of firms said low staff awareness is the biggest obstacle to secure practice. It's no surprise then that human error is the top cause of IT security incidents.
In this sense, clients pose the same risks as any other business partner. Or, depending on the amount of access they have, an insider. If there's a disconnect between security practices, and clients are unaware of threats, then your business is at risk.
Key things to be aware of
If cyber security starts with people, then strategy starts with training. All businesses should build a culture of cyber security. This will keep them protected in the long run, and enable compliance with new regulations like the GDPR. Here are the key things to look for when thinking about client security training:
- Data storage and handling. You might collect customer data on a single, secure marketing platform like HubSpot. But if clients request data from you in say, an Excel spreadsheet, is it stored and handled securely once it leaves your business?
- Data sharing. Similarly, how do your clients share their data with you? If they use a secure cloud service like Dropbox, and send you a link? Or do they send data via email? If they use email, make sure they have an added layer of protection - ask about encryption services they use.
- Remote working and BYOD policies. If companies have bring-your-own-device (BYOD) policies, how is data protected? Are devices properly managed? Have employees been educated on risks beyond the office walls? Do they know how to determine if the network they're about to use is secure?
- Password practices and hacker awareness. 76 percent of UK office workers don’t know what ransomware is, and 36 percent can’t define a phishing scam, according to an ISACA survey. You may have access to client social media accounts - are passwords strong?
- IT application approval. Only eight percent of businesses would know if employees were using 'shadow' IT. If a company's tech and processes are slowing people down, they'll find workaround applications which could be unsecure. All it takes is one of your clients' employees to download a dodgy app...
- Access and permissions. Your project management software might give you permissions-based access, where only authorised people can see tasks, leads, customer data and profiling etc. But what about your clients? If employee and privileged account access isn't controlled and role-based, the risk of a security incident is higher.
- Employee exit strategy. With regards to data, businesses need a plan of action if an employee leaves. Does the company have a process to revoke access and shut down accounts? If an employee leaves disgruntled they could cause some serious damage if they still have access to systems.
While you don't want to interrogate or be rude to clients, it's important you ask the questions around cyber security practices. If they are unsecure, it's unlikely to be deliberate, and they will probably thank you for pointing it out.
Why it's not always a good idea to make clients get better training
Each business has the potential to make another vulnerable, so we all owe it to each other to have proper strategy and defense in place. But if you feel a client needs to up their security practices, demanding better training might not be the answer.
If it's a prospective client, you might end up on the wrong foot. And if it's an existing long-term partner, the conversation is always tricky, and you could risk ruining business relationships. Clients may push back and see the training as outside of or unrelated to contractual agreements. Or they might genuinely be upset and think you don't trust them.
Besides, even if you did get them to do a course, as a standalone solution these often lack depth and the human element. People tend to view security as a 'tick box' exercise in this context, and will quickly go back to old ways even with a certificate. If you want cyber security to stick, you need to extend your internal practices to your clients and work as a team.
A culture of cyber security: opening up the dialogue
In a report by the Ponemon Institute, research found that many companies are still living in uncertainty about whether third parties have experienced a data breach, or what their security practices are like. But it shouldn't be this way. Businesses should be openly sharing knowledge with each other around cyber security to protect themselves, and each other.
If you're concerned about your clients' practices, the best way around is to start up an honest, collaborative dialogue about it. You're both on the same team, after all!