On March 30, 2011, one of the largest email service providers in the United States suffered a large security breach that compromised millions of email addresses. The incident put service providers and the entire data industry under the spotlight of the media, government, and average consumers. Moreover, it served as an immediate wakeup call to marketers to increase efforts to protect their data. Here are some quick tips on things you can do to minimize your vulnerability:
Don’t Be The Weak Link!
Most security breaches come down to the actions (or inactions) of an individual. Make sure you aren’t the weak link by ensuring you embrace, rather than undermine, the security measures your internal tech staff has already put into place.
So ask yourself:
- Did you write down a password after being told not to?
- Have you been ignoring requests to turn in your computer for routine maintenance?
- Did you let your spouse/child/friend/visitor use your work computer while logged in as yourself?
- Have you copied things to/from a memory stick recently?
- Did you download or install any applications yourself?
- Have you disabled any timeouts or security features because they were annoying?
I think we can all acknowledge (myself included!) that we as individuals could exert more effort into supporting and enhancing data security. And it certainly seems like the time is now!
It’s OK — Everyone Makes Mistakes
It’s also important to acknowledge that we are all human and, by definition, humans make mistakes. So if something did happen that you think might have jeopardized security, or you otherwise have that sinking feeling that ‘something is not right,’ act quickly and report the incident to your tech team. No matter how sheepish you may feel, it is always better to seek immediate attention than to let a potentially huge security issue become worse through inaction.
Let me be clear on this, if something you did (or didn’t do) may have jeopardized security, STOP READING THIS ARTICLE, GET UP RIGHT NOW, AND GET SOME HELP. Once compromised, anything you do with your machine, including browsing your network drives, accessing your CRM, plugging in your thumb drive, etc. could spread the malware or virus, making the problem much, much worse. The faster you report it, the better it will be. Trust me.
Choose Your ‘Friends’ Wisely
Now that you’re doing such a great job of not being the weak link yourself, it is time thinking about your associates and vendors. Anyone who you’ve granted access to your data could be the cause of a data breach, so be very very selective. Reduce your exposure by remembering:
- Vendors who offer lower prices must be cutting corners somewhere… is it in data security or staff technology training?
- Always check references to be sure the vendors you like are also vendors you can trust
- Ask your vendors for results of a 3rd party security audit or network vulnerability assessment, and worry if it isn’t promptly provided!
- Confirm your vendor offers the security options you need. Here are some things you should ask for:
- staff screening and training
- encrypted data transmission
- secure processing facility
- data destruction policy
- secure equipment end-of-life procedures
In your quest for safer data practices, you would be well advised to rethink past behaviors. Specifically:
- Don’t store and transmit data today the same way you did yesterday. Ask your IT department and trusted vendors “is there a safer way?” For example, we have clients who historically emailed their lists to us instead of using our secure upload option. It really is time for those clients to change their behavior! Remember, there is almost always a more secure transmission option and perhaps you skipped it in the past because it seemed like extra effort. It’s now worth it.
- Reduce your exposure by storing and transmitting less data. For example, if you never have developed a business use for your customer’s birth dates, stop asking for it and delete the data you have. And when working with vendors, only send the required fields, even if that is a little more work than just sending over your entire database. At FreshAddress, one of our customers sent over their customers’ vehicle VIN numbers (not a field we need to do an ECOA!). We immediately deleted it of course, but the client should be asking their tech team why they neglected to strip that field before sending their file to us. Perhaps there is even an option to work with a hashed version of your data? Ask!
- Take a hard look at your data consultants and other ‘middlemen’ — are they providing critical services worth the exposure of them having access to your data? Should you bring such roles in-house instead?
Bad Stuff Happens Even To Good Guys!
This is the toughest section to write, so I’ll keep it short. Sorry, but bad things happen. Convene a meeting with your team to brainstorm what could go wrong. It will be a great exercise that will help you plug holes in your own operation as well as develop thorough contingency plans. That way, you can control the extent of any data breach and be responsive to your customers.
And put some seeds or decoys in your file. This will help you identify that an incident occurred and perhaps even assist the investigation to track the perpetrator.
There are many unscrupulous people trying to steal data everyday and they are targeting companies just like yours. But by implementing these tips, your reputation and your data will be more secure. Good luck!