Last month, Financial Times reported that the Federal Deposit Insurance Corp. (FDIC) estimated U.S. banks and corporations lost about $15 billion to cybercrime over the last five years.
Also in January, the Online Trust Alliance (OTA) released a report (“2012 Data Protection and Breach Readiness Guide”) that dubbed 2011 “the year of the breach.”
According to the report, almost 560 data-breach incidences were reported, resulting in the loss of more than 126 million records. The cost to businesses: $6.5 billion. The breaches originated from “external attacks, including server exploits and passwords compromised via phishing and forged email,” according to the report. Almost all of those breaches (92%) were estimated to be avoidable had companies taken the right precautions.
The problem, experts said, is that most companies don't realize that there's more at stake than just dollars and cents. Just as important, according to one expert, is the potential for loss of trust and respect.
“Data is the new Fort Knox,” said Jeff Beardsley, director of production engineering at email marketing company Bronto Software. “It's exceedingly valuable to criminals, and its loss can have significant consequences for companies of all sizes.”
And the losses just keep adding up. For instance, industry research firm Privacy Rights Clearinghouse (PRC) said that more than 543 million records have been breached since 2005, when it started keeping records, which is “more than one record for every resident of North America.”
With the threat of data breach and loss so high, OTA said every marketer should assume it, or its ESP or other service provider will be breached, if it hasn't already been. However, there are plenty of steps a marketer can take to improve its company's email and data security, which will also reduce its risk of data breach or loss. Here are nine of the easiest and most effective.
Security, even email security, has always been something left for the IT department to worry about. This is a huge mistake, said Alec Petersen, CTO at Message Systems. IT needs to know where your data is housed, all the service providers and ESPs you're using, as well as the value of your data. They can't protect what they don't know is there, Petersen said. In addition, marketing can and should utilize IT's expertise when it comes to physical and virtual security.
Customers are more likely to fall for a phishing scam if a company's message design and branding changes frequently, said Mike Hotz, associate director of strategic services at ESP Responsys. “Every email should have elements that recipients are familiar with and can look for before making a decision to click through,” he said. Since images may be turned off, email consultant Jeanne S. Jennings, suggested including brand names in rich text. “It might seem redundant, but it should be there.” Both experts agreed that while phishers may attempt to duplicate your design, it's very unlikely they will get every element right.
This is important for two reasons. The first relates to deliverability. Phishing is so prevalent that many ISPs, email servers and security features will often block emails with too many links. They may also block messages that use link shorteners since they can mask a risky domain. The second reason is to protect your customers and prospects from being phished. If they know your emails will only contain links back to your site, they will learn to recognize and avoid suspicious or dangerous links. “Provide links that go back to your domain to protect your brand and your recipients, and let them know that you will only be directing them to your site,” said Henry Harbury, VP-engineering at marketing automation company Act-On Software.
Marketers might be tempted to collect and store data “just in case;” but, unless you're actively using data, it shouldn't be collected at all. Unused data that has already been collected should be stored on a server that's not connected to the public Internet, said Bronto's Beardsley. “I've definitely seen people collect personally identifiable data that they don't need. For most, all that's required for marketing purposes might be name, email address and title; but they collect far, far more,” he said. If they are breached, there's more to lose.
This is one of the easiest things that a company can do, and it's one of the most protective, Beardsley said. “Whether your email is sent from in-house or through an ESP, you can restrict the number of IP addresses that are allowed to access your email account,” he said. “So if someone tries to log in with a valid login and password but is coming from an unknown and unapproved IP address, they will be stopped in their tracks.” This protects companies in the event that their own employees are phished or their networks are breached.
While most consumers understand what phishing is, they may not be as concerned if they are in a business setting. Companies should remind customers and prospects that phishing happens and give them tools to protect themselves. This starts by letting them know what they should expect from you: when emails will be sent, what they will look like, what they will ask for and what they will contain, said David Fowler, chief privacy officer at Marketfish Inc. Emails should also include a link to your privacy policy, which should detail the kind of information you've collected, how it is stored and what you're using it for.
People are still lax with passwords, using words and phrases that are easily guessed. Access to your marketing and email programs and services should be secured. Employees should understand that they shouldn't access Web-based services while browsing on other sites. Passwords should be changed often, and, if possible, employ high security. “Here, we use the RSA token code for anyone who has admin permission,” said Hotz of Responsys, referring to the company's SecurID two-factor authentication, which generates via a mobile app or piece of hardware a new password every sixty seconds.
Few companies would leave their offices unlocked overnight, but most marketers fail to realize that an unlocked laptop or mobile device—or even a misplaced thumb drive—can function as an open door right into the company's data. Anyone who accesses the email database or system via an unlocked device is essentially taking a huge risk, said consultant Jennings. She suggested implementing a corporate policy that states all employees must password-protect their laptops and mobile phones. In addition, employees should know that they are never allowed to store or transport customer or prospect data on a portable device such as a thumb drive.
Your employees could be doing all the right things, but your ESP or service provider might have huge holes in its security policies. How can you know? Ask, said Marketfish's David Fowler. Some important questions include: Does the vendor have a privacy policy and statement? How old is its privacy policy? What kind of data does it collect? How often is the policy updated? “These are important questions to be asking,” Fowler said. “Also, how do they onboard new customers? A vendor could have a robust privacy statement but, if what it does isn't the same as what it says, you can have a problem.”
Fowler said you should also know exactly what that third party is going to do if something goes wrong. Does it have a roadmap or contingency plan in the event of a data or security breach? Is it contractually obligated to disclose any breaches? How often is it updating its security policies, software and services?
The buck doesn't stop with the ESP or service provider, either. Marketers should ask ESPs or vendors to disclose any third-party hosting companies they work with and get details on their policies as well. “The reality is, unless you own the entire network [that data resides on and email is sent from], then there's always going to be a door open for something to occur, so you need to go in with eyes open,” Fowler said.