As marketers, we’re often given secret and proprietary information by our clients in order to do our jobs more effectively. While this line of communication is a sign that your agency-client relationship is strong and based on trust, it also leaves marketers vulnerable to attack from those who’d use that information for their own ends.
Here are some of the soft spots that can be introduced into the marketing department unknowingly, with tips on how to armour up against attack.
Social media, websites, you name it –we probably have elevated access permissions than the average visitor. If recent events are anything to go by, the old password hack of trying the default password ‘admin’ is still alive and well. If you’re saving passwords in plain text on your computer or, heavens forbid, on slips of paper or sticky notes, then you’ve fallen even before the gate has opened. Adopting strong passwords that are difficult to remember does pose a problem if you have to remember them off the top of your head, but they do delay hacking attempts. However, there are many applications available now to securely store your gathered passwords, and several also offer other methods of secure storage for digital information. Do your research and ensure the tool you’re choosing hasn’t itself been compromised. It’s true that these offer a level of protection to the user, but if they have been broken and the hash and/salt published online, then they’re little better than that sticky note on your monitor!
IP and other proprietary information
As an external representative of our clients, we are frequently given Intellectual Property or trade secrets potentially valuable to competitors or others looking to grab a quick bitcoin from the info. One way to protect yourself, and ensure you’re not the subject of a massive corporate espionage case, is to ensure you never transmit sensitive business information via unencrypted means. This means no telephone calls, plain text emails or social media posts without your client’s legal advisor’s approval. Ideally, you should develop a process for labelling sensitive information with your clients, who may never have dealt with this level of external stakeholder interaction with their proprietary information before. Following ASIC’s guidelines and regulatory documentation for the handling of corporate information is another way to earn the trust of your client – demonstrating you’re willing to go that extra mile to protect them and their business interests.
This is a whole other article. If you’re storing contact details for your client’s marketing automation, you should consider the technology you’re using. Is the software package secure? Is the information backed up regularly? Where is the server they’re backed up located? Did you know that information stored on computers in one country, even if it’s not the country you’re located in, are actually deemed the property of the government of that country by law? Doing a little research might save you a big headache. Stay tuned for more on this in an upcoming blog post.
We’re all guilty of clicking ‘Ignore’ on Software Update reminders. While there are times when hopping on board with the very first release of an update is not a great idea, make sure you have a regular software update session. Not only does it allow your operating system to get all the latest patches for vulnerabilities, but the process also gives your poor hard-working laptop, tablet or phone a chance to restart and clear its caches and temporary memory. You’ll be surprised at the increased performance once it’s been shown a little extra love.
Social engineering, spoofing and phishing
It’s a sad fact of life, but there will always be people looking to get information from those who have it. Social engineering is a form of people hacking, and it’s a sly way of working a system to get information not otherwise easily accessed. Don’t believe me? Watch this video. Spoofing is where someone uses software to make it appear that they’re calling from a phone number that is not their own. This is used to mis-identify through Caller ID. It’s generally used in conjunction with social engineering through the phone, as we saw in the previous video. Phishing is an email that looks like it’s come from a valid website, when in fact clicking on a link in the email will send you elsewhere. Phishing can be used by cybercriminals in conjunction with a vast range of other hacking techniques to gain access to systems and information they don’t have approved access to. The recent 2017 Midyear Security Roundup: The Cost of Compromise found that Australia accounts for 27.4% of world-wide Business Email Compromise (BEC) attacks, so it’s crucial that we ensure business processes and cross-organisational communications are above board.
There are always more vulnerabilities than those we know today. It’s a fact of life that there are more people looking to take advantage of these soft spots, than there are looking to shore up the gaps in our defences. Vigilance and a mind-set of security and protection is the best form of defence you can offer yourself and your clients. Stay up to date with the latest vectors and openly discuss your protection processes, both in-house and with your clients.