A modern creative agency is built like nothing IT was designed to secure. Permanent staff sit alongside a rotating pool of freelancers who arrive on Monday, work on a Heineken brief, and disappear by Friday. Pre-launch assets sit in Figma libraries shared with photographers in Amsterdam, copywriters in Lisbon and motion designers in Berlin. Enterprise clients now send security questionnaires before they will sign a retainer. This is no longer a creative office with some laptops. It is a federated network of identities, devices and SaaS tools where every onboarding decision has a security consequence.
What cybersecurity do marketing agencies need in 2026?
Marketing and creative agencies need identity-based access controls that match the speed of freelancer onboarding, web protection across more than 100 SaaS tools, agentless device controls for unmanaged Mac workstations, and a single console that produces audit evidence for client and NIS2 reviews. Platforms like Jimber deliver this through a unified SASE architecture: Zero Trust Network Access for per-project client access, Secure Web Gateway for SaaS visibility, and NIAC hardware for agency-managed creative workstations. The goal is enabling fast onboarding, not gatekeeping the freelancer model the business depends on.
The data agencies actually handle, and why it matters
The economic value of an agency’s data is concentrated in the period before publication. After the campaign launches, a hero film is just media. Two months before launch, that same file is information that competitors, journalists and short-sellers will pay for.
A typical 80-person creative agency holds at least six categories of high-value information at any moment. Client briefings under NDA contain unannounced product roadmaps, repositioning strategies and merger storylines. Pre-launch creative assets include hero films, packaging designs and campaign keylines that move share prices when leaked. First-party campaign data covers consumer profiles, retargeting lists and CRM exports protected by GDPR. Financial client information appears in scope-of-work documents, retainer terms and budget allocations. Social media credentials provide direct access to brand accounts with millions of followers. Brand identity assets, including unreleased logos and visual systems, define competitive positioning for years.
Each category has a different attacker profile. A pre-IPO marketing strategy interests short-sellers. A celebrity endorsement keyline interests tabloid journalists. A social media credential gives one attacker control of a brand voice that took a decade to build. The agency does not just store sensitive data. It stores sensitive data with multiple independent monetisation paths.
How agency cyber attacks happen
Attackers follow the path of least resistance, and that path increasingly leads through the agency rather than its enterprise client. A Fortune 500 with a hardened SOC is not the target. The boutique creative shop with privileged access to that Fortune 500’s marketing platforms is. This is the supply chain effect that NIS2 Article 21.2.d is designed to address. Jimber’s analysis of supply chain risk in logistics covers similar dynamics in adjacent sectors.
Four attack patterns dominate the recent record. Phishing remains the dominant entry vector, with messages disguised as client briefings, freelancer invoices, or platform notifications. The April 2025 ransomware incident at Marks & Spencer began with social engineering of an external contractor who handled the retailer’s account, and the cost ran into hundreds of millions. Supply chain compromise via shared client platforms is the second pattern: an attacker who reaches the agency’s Sprout Social or HubSpot tenant inherits access to every client account managed there. Ransomware on creative file servers is the third, hitting agencies particularly hard because hi-res source files are irreplaceable. The fourth pattern is exploitation of third-party integrations, where attackers use compromised plugins or asset-storage tools that the agency adopted without IT review.
The 2025 wave of WinRAR exploitation shows how mundane the entry point can be. Agencies exchange compressed asset folders dozens of times per day with freelancers and external suppliers. A single weaponised archive in that flow reaches every endpoint that opens it.
The freelancer-economy security challenge
The freelancer model is not a security weakness to mitigate. It is the operating model of the modern agency. Roughly two-thirds of creative output now comes from freelancers, and 68% of agencies hire freelancers regularly, up from 48% in 2020. Any security approach that treats this workforce as a problem to control will be rejected by the business or worked around within a week. For the broader hybrid and freelance access pattern, see Jimber’s remote work security use case.
The real challenge is operational, not philosophical. Three constraints make freelancer security genuinely hard.
The first is BYOD as the default. Freelancers work on their own equipment, almost always Macs, and they will not install a corporate MDM agent on a personal device they also use for other clients. Traditional endpoint management is structurally impossible. The second is access lifecycle mismatch. Freelancer engagements last weeks, not years, but most identity systems were designed around employee tenure measured in years. Manually provisioning accounts in Figma, the brand asset DAM, the project management tool, the client’s review platform, the social media tool and the time-tracking system, then revoking each one when the project ends, is the kind of work that gets skipped. Credential sprawl is the result: ex-freelancers retain access for months. The third is the rise of shadow AI. Sixty-one percent of Gen Z freelancers actively use generative AI tools to accelerate their work, often pasting client briefings into models the agency has never approved.
The objective is to make secure onboarding faster than insecure onboarding. If an IT manager can grant a new freelancer scoped access to a single Figma file and a single Slack channel in five minutes, with automatic revocation on the project end date, the security model and the business model align. If it takes thirty minutes and three approvals, the security model loses every time. This is what identity-based access through ZTNA actually delivers, and why it matters more in agencies than almost anywhere else. For a deeper view of how this works architecturally, see Jimber’s SASE architecture explained guide.
The compliance pressure on agencies in 2026
Agencies are no longer outside the compliance perimeter. Three forces have changed that, all now visible in incoming RFPs and contract amendments. Professional services firms face similar pressures, as covered in Jimber’s analysis of SASE for legal and accounting firms, though the operating model and tool stack differ from creative agencies.
NIS2 reaches agencies through two paths. Direct application under Annex II covers managers of business services that meet the size thresholds: 50 or more employees, or annual turnover above ten million euros. Many mid-market agencies meet this test on the first criterion alone. Indirect application is more common: agencies serving clients in NIS2-regulated sectors are increasingly classified as critical suppliers under Article 21.2.d, which requires regulated clients to assess the cybersecurity practices of their supply chain. The Belgian deadline of 18 April 2026 for CyberFundamentals verification has now passed, and Dutch enforcement under the Cyberbeveiligingswet is in effect.
GDPR continues to apply to all the marketing data agencies process: CRM exports, retargeting lists, customer journey analytics. Consent boundaries are tightening, and supervisory authorities have become more active on the question of where data is processed and under whose jurisdiction.
The most operational pressure comes from clients themselves. Enterprise procurement teams now embed security questionnaires in pitch documents. ISO 27001 certification is often a prerequisite to bid. SOC 2 Type II reports are requested for any agency handling consumer data. Annual supply chain audits include direct reviews of access controls, encryption, and incident response. An agency that cannot answer “who had access to our brief, when, and from which device” loses the account before the creative work is even reviewed. For the Belgian context specifically, Jimber’s NIS2 compliance checklist covers what auditors expect to see.
The SaaS tool reality and where security gaps live
The average mid-sized organisation now uses around 100 distinct SaaS applications. Agencies sit at the high end of this range because every department has its own stack. Account management uses one set of tools, creative uses another, social media uses a third, and freelancers add their own.
A representative agency stack illustrates the surface area. Adobe Creative Cloud and Figma anchor the design layer, with file sharing happening through both platforms and through Dropbox, WeTransfer and Box. Project management runs on Monday.com, Asana, ClickUp or Notion. Social media management uses Sprout Social, Hootsuite or Later. Client review and approval happens in Frame.io or Ziflow. Time tracking, expense management, freelancer payments and contract signing each sit in their own SaaS tool.
Three security gaps recur across this stack. First, identity fragmentation: most freelancers are invited to each tool individually using their personal email, which means access cannot be centrally revoked when a project ends. Second, file egress: hi-res assets, raw video footage, and full client briefs flow out to personal cloud storage every day, often for legitimate workflow reasons. Third, shadow AI: generative AI tools have spread faster than IT review processes, and a freelancer pasting an embargoed brief into ChatGPT to accelerate ideation is now the default behaviour, not the exception. A unified policy layer that follows users across these tools is the only realistic answer.
Why traditional approaches no longer work
Most agencies are still running a security stack designed for a 2015 office. The pieces work in isolation but fail in combination once the workforce becomes hybrid and freelance.
Legacy VPNs broke first. A senior video editor pulling 100 GB of raw footage through a VPN concentrator at the agency’s main office produces support tickets every single day. Latency, throughput and stability all degrade. Worse, the VPN places remote users on a flat network where, once authenticated, they can see far more than their project requires. This violates least-privilege, and auditors notice.
Per-tool credential management collapses at the freelancer scale. Some agencies use shared logins protected by a password manager, which works until someone forgets to rotate the credential after a freelancer leaves and the password lives in their personal vault for the next year.
Endpoint management cannot solve BYOD. Agencies that try to enforce MDM on freelancer devices either lose access to the freelancer pool or get worked around with personal accounts. Neither outcome is acceptable. The honest answer is that the device is not the boundary. The application is. Defining the boundary at the application layer is what unified SASE platforms enable. Jimber’s analysis of tool sprawl and the Frankenstack effect covers why consolidation reduces operational risk for small IT teams.
How SASE solves the agency security challenge
A SASE platform addresses the agency stack at five distinct layers, each tied to a specific operational pain point.
ZTNA delivers per-project client access. A freelance copywriter joining a three-month engagement on Client X’s account gets access to one Figma project, one Slack channel and one Google Drive folder. They never see the rest of the agency’s environment. When the engagement ends, access automatically expires on the contract end date. This is the architecture behind Jimber’s zero trust security model, built on the Zero Trust Network Access principle of identity-first verification.
Secure Web Gateway and CASB give the IT manager visibility across the SaaS stack without trying to deploy agents on freelancer devices. Cloud application discovery surfaces the shadow IT and shadow AI tools the agency was unaware of. Data loss prevention rules can prevent embargoed creative assets from being uploaded to unsanctioned destinations. Acceptable use policies follow the user across networks rather than living on the office wifi.
NIAC hardware closes the agentless gap on agency-managed equipment. Shared Mac labs for finishing and post-production, network-attached storage with raw footage archives, multi-function printers, and meeting room AV systems all sit on the same flat network as workstations in many agencies. Inline isolation places these devices behind identity-aware controls that allow only explicitly defined traffic flows. The network isolation component covers what this looks like in practice.
Centralised logging produces the audit trail that clients and regulators now require. When a Fortune 500 client asks for evidence of who accessed their brief, when, and from which device, the answer comes from one console rather than twelve. This is the operational difference that makes NIS2 supply chain conformity practical for agencies with one IT manager and an external service partner.
Identity-aware fast onboarding and offboarding holds it all together. Adding a freelancer becomes one workflow that provisions access across every approved tool, with automatic revocation tied to the engagement end date. Removing one becomes equally automatic. Manual provisioning never recovers from the freelancer scale.
European data residency closes the jurisdictional question. Agencies serving regulated EU clients increasingly cannot use US-headquartered security platforms, because the CLOUD Act creates a documented supply chain risk under NIS2 Article 21.2.d. A platform with EU-only data processing eliminates that conversation before it starts. For agencies that work with an external IT partner, the multi-tenant architecture matters as much as the technology itself.
A realistic 30-day rollout for an 80-person agency
The deployment that follows is a working pattern, not a vendor promise. It assumes an 80-person agency with around 40 active freelancers, a typical SaaS stack, and an external service partner doing most of the implementation work.
| Week | Focus | Activities |
|---|---|---|
| Week 1 | Discovery and identity | Inventory current SaaS tools and active freelancer accounts. Connect identity provider (Google Workspace or Microsoft Entra ID). Map permanent staff to role-based groups. Define freelancer engagement template. |
| Week 2 | ZTNA pilot | Replace VPN for one client account team (e.g. the team handling the largest enterprise client). Publish three to five applications through ZTNA. Validate performance for hi-res file workflows. |
| Week 3 | SaaS visibility and DLP | Activate cloud application discovery. Surface the shadow IT inventory. Define data loss prevention rules for client NDA documents and embargoed creative assets. |
| Week 4 | Freelancer rollout and NIAC | Onboard new freelancers through the unified workflow. Deploy NIAC hardware in front of shared creative workstations and the post-production NAS. Decommission the legacy VPN. Train account leads on the new freelancer onboarding flow. |
Two practical observations apply to this kind of rollout. First, the freelancer onboarding workflow is the single most important deliverable. If it is not faster and easier than the old process, adoption fails. Second, decommissioning the VPN within thirty days is not optional. Running both systems indefinitely is a common failure mode that erodes the cost case and confuses the access policy. Set the sunset date at the start of the project and hold to it. For a more detailed view of phased deployment, see Jimber’s SASE implementation timeline.
Frequently asked questions
Does NIS2 apply to marketing and creative agencies?
NIS2 reaches agencies through two paths. The first is direct application: agencies with 50 or more employees, or annual turnover above ten million euros, fall under Annex II as managers of business services. The second is indirect application through Article 21.2.d, which requires NIS2-regulated clients (banks, healthcare providers, energy companies, manufacturers) to assess the security of their supply chain. In practice, most mid-market agencies are now subject to NIS2 expectations through their largest clients regardless of their own size threshold.
How do agencies secure freelancer access without managed laptops?
Agentless approaches are the only realistic answer. Identity-based access through ZTNA controls what the freelancer can reach at the application layer rather than at the device layer. Browser-based access to scoped resources removes the need to install software on personal devices. Sensitive workflows that require local files can be tied to managed agency-owned workstations available on a shared basis. The principle is to define the boundary at the application, not the device.
What cybersecurity audit do agency clients typically run?
Enterprise clients embed standardised questionnaires in their procurement processes. The most common are based on ISO 27001 control families and SOC 2 Type II Trust Services Criteria. Specific questions cover access control, encryption in transit and at rest, incident response timelines, employee security training, third-party risk management and data residency. Agencies serving NIS2-regulated clients face additional questions on supply chain risk, jurisdictional exposure and incident notification capability. The questionnaire arrives before the pitch is awarded, not after.
How does GDPR apply to first-party marketing data we process for clients?
The agency is typically a data processor and the client is the data controller. The agency’s obligations include processing personal data only on documented instructions from the client, ensuring confidentiality through appropriate access controls, implementing technical and organisational security measures proportionate to the risk, and assisting the client with data subject requests and breach notifications. A unified access platform with central logging makes the technical and organisational measures requirement substantially easier to evidence.
Can we keep using Adobe Creative Cloud, Figma and our other SaaS tools?
Yes. SASE does not replace SaaS tools. It adds a unified access and policy layer in front of them. Adobe Creative Cloud, Figma, Sprout Social and the rest of the agency stack continue to operate exactly as before. What changes is identity flow (single sign-on through the agency’s identity provider), traffic inspection (consistent web security and DLP across tools), and access lifecycle (automated provisioning and revocation tied to engagements rather than to individual tool admin actions).
What does this look like for our service partner?
External service partners operate the platform on the agency’s behalf through a multi-tenant console, managing multiple agency clients from one interface with each agency’s data and policies isolated. This is the model most mid-market agencies adopt because they do not have the internal IT depth to operate the platform alone. The partner-first architecture is built into the platform rather than added as an afterthought.
The pressure on agency security has shifted from “should we” to “we have to”. Enterprise clients are auditing the supply chain. Regulators are activating NIS2 across the Benelux. Freelancer-driven workflows have outgrown the perimeter-and-VPN model that most agencies still run. A unified SASE platform is the most realistic way to align the agency’s operating model with the security model the business now requires. The next step is a working session with a service partner to map the current SaaS stack against a phased rollout plan, with the freelancer onboarding workflow as the first deliverable. Book a demo to see how the architecture maps to your current stack.
