How consultancy firms can minimise their cyber risks

Consulting firms hold stacks of valuable data, ranging from highly confidential client data, to data on internal finances

Consulting firms hold stacks of valuable data, ranging from highly confidential client data, to data on internal finances and employees and proprietary thought leadership. Following a number of high-profile hacks in the consulting industry, consultancies are ramping up their own cyber defences. Ben Bulpett, a Director at SailPoint, provides his view on what firms can do to minimise cyber risks.

A data breach can strike consultancy firms at any time. Whether it’s sensitive information that an organisation must protect for its client services or records needed to meet industry or government regulatory demands or even customer audit data – data must be safeguarded and access controlled. The fallout of a data breach, where protected data is exposed or stolen, could be catastrophic.

Data breaches can include the theft of intellectual property, the disclosure of customers’ personally identifiable information, theft of customer financial information, healthcare data and more. The cost of data breaches on enterprises are high, and they are growing higher. SailPoint’s research shows that the average cost of just dealing with a breach is almost £700,000 per company, per breach, excluding any fines that may be incurred.

No industry or business is immune to cyber threats and the resulting security breaches. Data breaches often require public notification to customers, partners, vendors, shareholders and government agencies, all of which causes significant reputational damage.

How consultancy firms can minimise cyber risks

“Prevention, detection and response” is the battle cry of cybersecurity experts everywhere. Identity touches each of those core tactics in avoiding a data breach. By giving users the right access to the right data at the right time, you’re preventing the data from being a free-for-all in the first place. Through the ability to see user behaviour and identify in real-time when something isn’t right, detection is that much quicker. And being able to lock down those compromised accounts in a critical situation such as a breach means you can respond swiftly. I am afraid to say: it’s not ‘if’ but ‘when’ you’ll be breached. It’s how you prepare and respond that counts.

Identity governance provides visibility into and control over all your Users, Applications and Data across the enterprise, answering three critical questions: Who has access to what? Who should have access to what? What is being done with that access?

By putting identity at the centre of security and IT operations, consulting firms are able to better mitigate the risks of a breach and protect the information they need to succeed by governing all – data, users and applications.

Cyber tips for consultancy firms

The challenge to consultancy firms is clear – how to maximise employee productivity and maintain a competitive edge in the market, while ensuring visibility across a fast-moving organisation where client expectations for security and confidentiality are incredibly high. There are four steps every organisation should do to both further mature their identity program and better secure corporate resources:

1. Perform a full audit on identities’ access to systems, applications and data across the entire enterprise.

  • This means identifying weak areas in visibility over users’ access to any corporate resource as well as determining where the baseline is today in comparison to the program’s ideal state.
  • Determine the level of connectivity among each part of the security environment. Every system and resource should be connected to your identity governance solution.

2. Ensure all the identity processes that can be automated, are automated.

  • When users either join, move or leave the company, access should be provisioned or deprovisioned immediately and checked against policies to ensure only the minimum amount of access has been governed for their current role.
  • Enable self-service when possible and appropriate given security policies for services including password resets and access requests.
  • Build a business-friendly channel for users to request procurement of new applications, making it as easy as buying from Amazon.

3. Get control over data.

  • The first step is to find and classify all data, both structured and unstructured within the enterprise. A tool that can discover data automatically in both will be extremely beneficial.
  • That same tool should also be able to classify data and score it in terms of risk, marking certain files or repositories as sensitive information.
  • Elect owners for all data by asking business users to collaboratively vote on who should own it. More than likely, the most prolific user will not be the one that is chosen, but instead someone in a supervisory or project management role.

4. Regularly review and alter, if necessary, each aspect of the identity program.

  • This includes more than just setting certain processes like re-certification on a set schedule. It also means taking a step back and gauging what kind of impact the identity program has on the business, as well as reviewing the ideal state as determined when it was first implemented. Ensure your identity programme is an enabler for change and supports your digital transformation journey.