According to the Verizon 2022 Data breach investigations report, stolen, reused, and weak passwords remain a leading cause of security breaches. Many of these breaches could have been prevented by enabling 2-factor authentication.
Two-thirds of all corporate breaches are from applications deployed outside of IT (Gartner).
One issue with applications typically deployed outside of IT is that they don’t support security standards like SAML or SCIM. These standards are required to integrate corporate applications with single sign-on (SSO). SSO automates these tasks so that security teams don’t need to trust that their employees are doing the right thing, they can verify.
On episode #155 of the Identity at the Center Podcast, I became aware of Jeff Stedman and Jim MacDonald's quest to solve the challenge of managing access to corporate social media accounts. A listener named Andrew asks “Are social media accounts in the scope of IAM the caller said yes, but his management disagrees”?” Jeff Steadman and Jim MacDonald say no if you are a small company and yes if you are a major brand. I addition to company size cyber professionals should consider whether or not your organization uses paid advertising on social accounts. In addition GRC teams should ask, how many people have access to social media and shared accounts, and does access include 3rd parties? Jeff and Jim discussed why including social media in IAM programs is difficult and why many organizations don’t have social media integrated with single sign-on.
I joined Jeff and Jim on episode 173 of the Podcast to share my expertise in managing access to corporate social media accounts. I talked about the value of corporate single sign-on and why security professionals need to make the secure thing the easy thing. We discussed the two primary access methods for social media accounts. We also cried about social media hacks at Disney and FastShop as well as at an unnamed company that suffered 100M in ad spend fraud. For small companies, I recommended Matt Chiodi’s social media access checklist. For large companies, I discussed how Cerby is creating APIs where they did not exist by using RPA (Robotic Process Automation). This allows social media and other applications with shared passwords to be integrated with corporate single sign-on.