The Dark Side of the Moon: Data security basics from Concep

E-book

The Dark Side of the Moon What non-technical marketers in professional services need to know about data protection and cyber security

Contents

Brave New World

04

Three Universal Truths

05

What Does “Secure” Mean?

08

What’s at Risk?

09

What Can You do to Mitigate Risk?

10

8 Ways Your Marketing Tech Partner Can Keep Data Safe

11

How Does Data Flow?

13

Keeping Data Safe

14

Playing our Part in Marketing

18

About Concep

19

Concep works with many marketing technologists. We also work with event managers and marketers who don’t have a background in IT. This eBook is aimed at marketing professionals who don’t have a technical background or experience and who may source and use marketing technology for legal and professional service firms.

To contribute to the conversation join the Concep community on LinkedIn

Brave New World

It’s been a steep and continuous learning curve. Over the last decade marketing professionals in the legal, financial and professional service firms have had to adapt to the birth of new digital devices, new technologies, the rise of social media, automation, new privacy laws and regulation….the list is long. We’ve had to rise to the challenge of working in an increasingly competitive space and in a constantly-changing market place. Our worlds are frequently being rocked by mergers, new players on the block, and new regulation. The last decade has also revealed unprecedented levels of decline of public trust. Most of us in the B2B world have thrived and embraced this brave new world. We’ve honed our messaging skills, created content for reading on a variety of mobile devices, placed cookie and privacy updates on our websites and and found new ways doing more with less.

We’ve taken learning seriously.

We’ve listened to thought-leaders and innovators. We’ve invested in platforms, explored apps and other new marketing technology.

We’ve grown used to the fact – admittedly with just a little reserve- that we have to work closely with our colleagues in IT. We know that before we can invest in new marketing technology we need their involvement, their expertise and, in many cases, their blessing.

It’s not just about good working relationships and organizational protocol. There is much, much more at stake.

There are three universal truths that are driving a change in our behaviours which we ignore at our peril.

4

Data Privacy is a Human Right

Clients have become more demanding, more knowledgeable and more vocal about their rights They want to know how we are going to keep their data safe. Misuse their data, and risk losing a client. How and when you communicate with them is all part of how they experience your brand. And they will not forgive lightly. Microsoft CEO Natya Sadella said in a recent interview that he believes the default position has to be that people own their own data. In his view:

Privacy is a human right, we need a GDPR for the world”. ( World Economic Forum, Jan. 2019 )

Marketers who don’t adopt a “privacy-first policy” will find themselves scrambling to comply in an increasingly challenging global regulatory environment.

5

No one is Safe from a Cyber Attack

We’re becoming more reliant on technology and how technology integrates with our existing and third-party systems, especially as we share more data across our organisations. This exposes us to new and very real threats like being hacked or having our clients’ email addresses stolen – or held to ransom. Professional Services are attractive targets to cyber criminals and smaller firms are as vulnerable as large ones as attackers will always look to find the path with least resistance.

Companies that ignore the risk of data breach or failure to invest in data protection systems are unlikely to survive for a long time.

Stephane Nappo, Global Chief Information Security Officer at Société Générale International Banking has widely been quoted as saying:

It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.

6

Marketing is Accountable

New technologies and tools are helping to transform our roles as marketers. Content automation for example cuts out the repetitive manual task involved in distributing blogs to different client groups. Integration is pulling together data from different sources providing easy access to new insights in real-time. We have more potential than ever to provide new strategic value to our firms… and to the bottom line. But with new power, comes new responsibility. As technology integrates and gets more complex, so does the risk increase. Marketing can no longer delegate the technical questions to the experts. We need to speak the same language as our IT colleagues so that we can sing in unity from the same songsheet. Without understanding the implications and technicalities, how can we be expected to invest smartly, safely - and nimbly in marketing technology that will transform the very companies we work in?

7

What does “secure” mean?

There are two types of cyber security we need to be concerned with in marketing:

1. Operational security 2. Technical security

Both are intrinsically linked with your client’s data privacy and how you as an organisation promise to keep them safe in your company’s “privacy policy”. They impact how you deliver on the small print: the “Your privacy is important to us” line on your website data capture forms. What processes and procedures does your organization have in place to safeguard your clients’ data. What are you doing to protect their privacy? When working with a third party such as a technology partner, you need to be aware of the guarantees they should be able to offer you at both a technical and an operational level to protect your clients’ data and monitor your system’s vulnerabilities.

8

What’s at Risk?

According to a survey of business executives (Marsh-Microsoft 2018), the top three most concerning consequences of a cyber attack are:

1.

Interruption of all business activities. This includes any activities related to marketing and business development which would need to be put on hold. 75% of executives believed this to be the most serious consequence of a cyber attack.

2. 3.

59% of executives were concerned about the reputational damage that would bring to the firm in the event of and attack such as data being stolen or held to ransom, or even made public.

This was followed closely with 55% of executives believing that breach of client data was cause for concern.

Other damage caused by breach of data security includes loss of intellectual property and liability to third parties who may be affected by the breach. For firms holding financial information like credit card details, this is an added layer of concern. In a post GDPR world, businesses will also need to detect and report any data breach of EU citizens within 72 hours of the incident or face heavy fines from the regulators.

9

What can you do to mitigate risk?

Your IT leaders will no doubt have strategies, systems and processes in place to keep your firm protected from cyber threat. Often as not, however, the biggest threat comes from inside the organisation – that’s you and your team! As much as 51% of all data security breaches come from within the firm. You, your team, contractors and third parties who come into contact with company data - and especially with your contacts’ data won’t necessarily be looking to cause damage by malicious intent. Rather, it will happen by accident or carelessness. That’s why our attitudes and approach to using technology need to change. The increase in risk means it is simply not enough to be aware. The more we know and understand, the more prepared we will be. Take steps to learn about risk and prevention and make it part of your team’s KPIs. Ensure your team receive training and become data protection militants. That way it will be less likely they fall victim to phishing. Always err on the side of caution. Is the marketing team all sharing the same password to access online platforms? How often do you change the password? How many people have access? Who needs to download data and why? Learn to spot unusual patterns or activity. It is so easy and tempting to download free apps aimed at making marketing’s job easier. Avoid downloading “shadow IT” and always inform your IT team before you do to give them a chance to check it out or even suggest an alternative. Don’t forget the basics too. Are you collecting the data you need and only the data you need? Have a clear data strategy and document your data management processes.

10

8 ways your marketing tech partner can keep data safe

1.

Adopting ‘Secure by Design’ standards Just as you would expect an architect to design a house that doesn’t leak, technologists should build their systems “bottom up” following standards to to ensure the end user will be able to comply with regulation.

2.

Implementing a DPA Programme Their employees will have gone through a ”Data Protection Awareness” or DPA Programme which is monitored and updated as required by the business.

3.

Being prepared to collaborate The business has all the processes and resources in place to collaborate with you fully should you require or be subject to an audit.

11

4.

Having documentation around the Data Protection Policy This document – which can be stand-alone or part of a contract – clearly lays out how data is managed with specific reference to anyone involved in the data management process including employees, contractors or third parties. Do they do due diligence?

5.

Being clear and transparent around locations where your data is held Your technology partner should provide you with a list of where data is held and what the data flow looks like.

6.

Assuring you future guidance around data removal Once the data retention period is over, your technology partner needs to provide you with formal guidance on how they securely delete your data.

7.

Working with accredited partners Your tech vendor should be working with third parties who have equivalent accreditation and sophisticated security compliance programmes.

8.

Incident response plan In the event of a major system outage or security incident, your vendor should have a response plan in place to keep you informed of the impact and status of the incident within an agreed timeframe.

12

How does data flow?

Data is at risk not only on your devices but also in transit. It’s useful to know how your data flows and what measures are in place to keep it safe. At Concep, for example, all client data is hosted on highly secure AWS servers in Ireland. Using AWS as a cloud hosting provider ensures that we can benefit from their strong safeguards. Regionally hosted servers in North America and Australia ensure local clients have the guarantee of their data being pushed back to their CRM platforms in a fast and secure manner.

AWS EU (Ireland) Region Hosts all client data Processes data for EMEA integrated clients

AWS US East (Ohio) Region Processes data for US integrated clients

AWS Asia Pacific (Sydney) Region Processes data for APAC integrated clients

Example of Data Location and Flow - Concep, 2019

13

Keeping Data Safe

As part and parcel of keeping your contacts’ data secure there are other methods and systems worth knowing about : Data Encryption Data encryption stops data being visible in the event that it is accessed without authorisation whilst being transferred from one data centre to another. Not only data in transfer needs protecting. It’s also important to have encryption at rest to protect data that is not in motion. - that is, data sitting in the database on the server.

How does encryption work?

Dear John, Here’s an industry update

You

Encryption algorithm

******* ************ *******

Decryption algorithm

Dear John, Here’s an industry update

Your contact

14

HTTP vs HTTPS

D ata is ‘communicated’ or transferred via HTTP, which stands for ‘hypertext transfer protocol’, for example, when you are accessing information within an email that contains links, surveys, or images hosted on the internet. Its purpose is to deliver the information to the user. It does not focus on what happens to the data during transfer from Point A to Point B. There is no encryption making it vulnerable to being intercepted by third parties. HTTPS is its secure version. It works in combination with another protocol – or layer of protection – SSL, which stands for Secure Sockets Layer. Together they transfer or communicate data securely thanks to an encryption key keeping it safe from hackers.

Other ways of keeping data safe include Network Monitoring and Penetration Testing.

15

Network Monitoring

The clue is in the name. This is a security information and event management system. It actively monitors or keeps watch of the network for any potential security threats or attempted cyber attack.

16

Penetration Testing

This is when external providers carry out regular tests to ensure application and network robustness. They do this by trying to “penetrate” or break into your application or network and surface any vulnerabilities.

Should a data breach or loss take place – speed of response in critical.

17

Playing our part

By no means is this an exhaustive and in-depth look at data protection and cyber security. Our main objective is to help marketers become more proactive and involved in understanding and preventing the risk of working with technology. As the pace of technological change accelerates and we move from the digital era to the era of intelligence, marketers cannot be left behind. We need to play our part – and a big part it is too - if we are responsible for sourcing and purchasing marketing technology. It’s time to build stronger-than-ever relationships with our IT colleagues and contribute to building cyber-safe, data - safe cultures.

We invite you to continue the conversation around good practice and culture in professional services firms. Join us on LinkedIn.

18

About Concep

Concep has been continually evolving B2B Marketing technology to meet the needs and challenges of professional services firms since 2002. Our aim is to help marketing and BD professionals work smarter and more efficiently, and make better, insights-led decisions. One of our areas of focus is centred around continually enhancing the security of our platform and the way emails and surveys are sent, and data is captured and returned to client’s CRMs. Information security and data protection is a critical part of what we do. We have robust policies and procedures in place to ensure that our clients’ data is secure, protected and compliant to current regulations.

Concep is IS0 27001:2013 certified. You can read more about this certification here .

For more details on how Concep ensures its platform is operationally and technically secure visit:

19

Looking for a secure and comprehensive engagement platform with a commitment and track record of client experience?

Visit www.concep.com for more information or sign up for a free trial.

20

Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 13 Page 14 Page 15 Page 16 Page 17 Page 18 Page 19 Page 20

Made with FlippingBook Online newsletter