15 Jan 2023 » Opinion
Sometimes I joke with my colleagues saying that, if I had to start again my career as a consultant, I would have chosen security as my area of expertise. I do not think that I would have liked it as much as my career at Adobe, but I know that I would have always been in demand. That being said, we all have to be very conscious of the security of everything we do, even in digital marketing. Let me explain why.
When I was in college many years ago, a professor said that she had purchased something online using her credit card, on a website that used plain HTTP (i.e. no security). All of the students were looking at her with surprise. She added that nobody would waste any time trying to compromise the website. That was a time when online security incidents were virtually non-existent. Nowadays we do not even dare to visit a website that only offers HTTP.
Security breaches are becoming more mainstream and sophisticated. The latest that affects me is the backup that was stolen from the password manager software LastPass. The information that I have read is anything but satisfactory and I will soon cancel my subscription. It turns out that they did not encrypt everything and the information that was stored in clear text can be used to perform some types of attacks. It is true that the passwords are “safe”, but email addresses, URLs and other data were stored in clear text. Smart crackers can use that information for their own benefit. For example, they could launch a phishing attack on all customers of a bank, as they would know some details about these customers. Or they could check in publicly available databases (e.g. have i been pwned?) if an email address has a password that has been compromised or stolen.
You may be wondering how this is an issue if you are working in digital marketing. You are not dealing with credit cards, passwords or operations data. Let me start by stating the following: crackers will find a way to exploit any information that lands in their inbox. Do not fool yourself into thinking that security does not apply to you. It does.
Consider the following examples, that I am sure you have heard or even can relate to.
Adobe mandates that all mobile devices are encrypted. If someone steals my laptop, they will be able to sell it, but all my clients’ information will not be accessible. That information is much more valuable than the hardware it is stored in. I actually have an anecdote about it: a few years ago, I forgot my laptop at Heathrow Airport. Lucky me, this seems to be one of the safest places to lose anything, as I found it in the lost & found office when I came back.
Are all your work devices encrypted and using multi-factor authentication?
Some companies are too lazy to automate their lists for email marketing and keep them in Excel sheets. They share them over email with their colleagues, before uploading them manually to an Email Service Provider. What would happen if this list ends up in the wrong place?
Many would be tempted to say: “Who could benefit from my list of emails? Nothing is interesting in it.” Remember what I said earlier: someone will find a way to exploit this information to make money out of it.
You probably know what I am going to suggest: always use systems that do not require you to copy files manually.
When I started working for Adobe, we offered FTP accounts for our customers to upload data to Adobe
SiteCatalyst Analytics. These accounts could be used as SFTP too, but our clients often preferred FTP, I guess it was easier for them. I do not know if we still have anybody using FTP but, if you do, stop immediately and switch to SFTP.
The same applies to any automated data transfers: always use secure protocols. With Adobe Experience Platform, you can only use secure methods, like Amazon S3, Google Cloud Storage or Microsoft Blobs. Besides, all APIs are HTTPS only, requiring strong authentication mechanisms.
Are your digital marketing tools secure? How is user management secured? If a person leaves the company, is their access immediately denied?
I remember a few years ago I was working with a large CPG company. One of their main concerns was that an employee who was recently fired could download all customer databases and start sending incendiary emails to the client base, ruining the credibility. You do not want to be in a company where this can happen.
One cousin of security is privacy. A quick Internet search shows how close they are.
I hope that I have your attention now: privacy has become important in digital marketing, very important. This is not a post about GDPR, CCPA and other laws that you need to comply with, but I am sure you are very well aware of them. Suffice it to say that the fines can break the bank. As a digital marketeer, it is your responsibility to comply with these regulations, including the security aspects.
I once read that the minimum security level that you should apply to everything was paranoid. I agree that this can be an exaggeration. However, keep in mind the security implications of everything you do in digital marketing and do not underestimate them.