Quick security check to keep out hackers and limit access to personal data
I don’t need to tell you that data is valuable. It is central to all we do in targeting, personalization, qualifying leads, and reporting. With anything that is precious, we have an obligation to secure it. It’s not just the right thing to do, it’s our legal responsibility. Both the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) require the protection of personal data.
For all of us, a data breach would be a real-life horror movie. Penalties can be levied against our organization if we fail to maintain reasonable security practices, and there are potential repercussions for any individuals whose data was hacked.
As in any creepy thriller, there are right things and wrong things to do (like splitting from the group when you’re exploring a haunted mansion). In the sections that follow, we’ll look at a couple best practices for securing your data and keeping intruders out.
Heeding the Elder’s Warning (Securing access to your platform)
If you haven’t recently conducted a security audit, there are several areas to review. Ultimately, the security settings and processes will be different for each organization based on input from a variety of groups, for example, legal, IT and security.
The most important line of defense is preventing unauthorized access to the platform. Review your policies covering the major threats: hackers and former employees.
Lock the door: keeping out hackers
If the security requirements are dictated by your security or IT department, then your responsibility is to ensure that the access settings align with those policies.
If you don’t have an edict, then you can customize the settings. Although simple is convenient, the trade-off is vulnerability. We don’t want locks on our houses that can be picked by a bobby pin, swiped with a credit card, or splintered by an axe (Here’s Johnny!). Similarly, don’t allow simple passwords or numerous login attempts. Carefully review and configure the security settings including:
- Security complexity
- Password expiration
- Number of invalid login attempts
The call is coming from inside the house: keeping out former employees
Unfortunately, former employees are a real threat to security. When an employee leaves, it’s imperative to have an efficient process for disabling their access. Depending on your organization, the protocol might come directly from HR or through IT. Whatever the chain of command, it needs to be defined, implemented and acted upon.
Not only do you need to disable the single user access, but also in some instances there are shared user accounts. That’s why you need a process for tracking shared user accounts and resetting passwords when necessary.
The Strength of Single Sign-on
Single sign-on allows a user to access multiple applications using a single ID and password. If you implement single sign-on for your marketing platform, it will ensure that your organization’s security policy is followed. It also means that there is a single point of access to disable when users move on from your organization.
Under Attack – Basic Survival Skills
In the unfortunate event of a security breach, do you and your team know the steps to follow? A policy should be defined and regularly communicated. If you find you have been hacked, don’t be the one whose mistakes increase the danger. Be prepared.
Don’t go into the basement (Securing access within the platform)
Roles and Responsibilities
Whether you have two users or 1,000, it’s important to assign the correct permissions to every user. The more users, the more user roles you need to manage. But in the long run it reduces errors. It keeps users from wandering into areas of the platform where they don’t have the skill or knowledge to stay safe.
If your user is creating assets, they don’t need access to individual personal data. Your analytics user should be kept to reporting. Provide the access each user group needs to perform their duties efficiently, but not more.
Partner users should follow the same rules as your internal users. Identify the vendor’s role and then assign the appropriate permissions. Some vendors will be working alongside the admins while a creative agency user may only need access to create emails. As you are auditing partner permission, it is a good time to be sure that you have the appropriate legal agreements in place for working with your partners.
Segmenting Access to Personal Data
You can go a step further, by not only limiting platform access to personal data, but giving users access to only a subset of the database. For example, if your users are marketing based on regions or business units, then they only need to view and access those records. The user in Transylvania would only have access to the records that have a country equal to Transylvania.
Although the obstacles to securing your data might seem daunting, with the right strategy, planning, and tools in place, you can lock out the intruders, eliminate the breaches, and keep everyone behind closed doors safe.
If you need any help fortifying your data, let us know. We are always here to help.