The Optus Breach.
A risk perspective for CMO's and Marketing Teams.
Should CMO's, Heads of Marketing and/or marketing teams pay special attention to the Optus breach, or any breach for that matter? And is there value in understanding security concerns more broadly and educating on the potential risks to help minimise the risks to organisations and businesses (regardless of size)?
Yes - is the simple answer.
Marketing teams should pay attention because while the Optus breach likely had nothing to do with marketing, the fact that Marketing teams are heavily reliant on customer data to function (and thus Personally Identifiable Information or PII) this makes them accountable for some level of customer data security.
Why? Security is a whole of business activity and relies on many lines of defence.
You can never be 100% secure but that doesn't mean you shouldn't take continual steps to protect your systems and data - and this can't just be left to technology or security teams.
Marketing capability and activities can sometimes 'slip the net' where it's possible to provision platforms, leverage third-parties and share data without oversight or understanding the implications.
Our experience has also been that the smaller organisations may have greater risk profiles because they tend to lack the controls and governance that large businesses have (though this is not always true, generally it is the case).
We'll cover some principles and areas of concern or risk to pay attention to - how to think about security, common pitfalls and what to do about them.
The risk isn't just brand reputation and damage: as mandatory breach notifications come into effect and companies come under greater privacy controls there will be serious consequences for companies and individuals financially as well.
As you can see from the Optus fallout - there are already calls for tighter legislation on privacy and data.
Secure Principles.
While there are frameworks and standards available for managing cyber security risk (including ones like NIST or ISO27001) - practically these frameworks are quite broad and tend to be implemented by Security or Technology teams, rather than being spearheaded by Marketing.
The Australian Privacy Principles (APP) give a good basis to consider the protection and management of customer data - and every Marketing team should understand them.
The APP covers guidelines on data collection, use and disclosure but stops at true practical information on what to do and what to look for. Similarly, Europe and the United States have similar principles to abide by (they are common sense though).
From a marketing perspective extend on the APP principles to consider practical aspects by asking:
Do you know what kind of data you are using?
Do you know what kind of data you are responsible for?
Do you know how that data is being stored?
Do you know how the data is being used?
Do you know who has access to that data?
Do you know how the data is being accessed?
Do you know how that data is deleted or destroyed when no longer needed?
If one or more of those questions isn't clear to you, or your teams, then you need to consider just how exposed you are or how you get the answers needed.
What are the major risk areas for Marketing?
Due to the reliance on customer data, and in particular, the requirement to use PII to perform even basic personalisation activities means that Marketing teams are custodians and users of data that you don't want to end up in someone else's hands.
Likewise, while needing rich data to deliver marketing outcomes, thinking about security and managing data is not always at the forefront of Marketing teams minds.
In our experience incidents often happen not because of malicious intent but through poor controls, accidents, or mistakes.
We see the following common risk areas for Marketing:
Reliance on cloud-based marketing technology and platforms - which often require placing or integrating customer information in those platforms to operate - you can't personalise and send an email without an email address and a name for example. While these platforms are generally secure and have good security protocols it is the processes around them that present the risk - getting data in, operating on them, sharing data out.
Use of agencies and third-parties to provide expertise and skills - this requires opening marketing and technology platforms to others who may or may not meet or achieve the same security standards as you or your organisation. Third parties can provide a vector of attack to extract customer data (this can even be through a disgruntled agency employee).
Lack of visibility on what happens on platforms - whether you outsource your execution capabilities to an agency, third-party or you have internal teams you may not be across how they use, extract or control customer data. Data may be extracted, manipulated, transferred and stored without necessarily realising the risks associated.
Collection of data and use of customer identifiers - particularly when it comes to advertising, analytics and more advanced technology platforms that provide recommendations, digital optimisation, or orchestration - you will be sharing and potentially disclosing customer identifiers (which can be considered PII) across multiple platforms - while this is a lower risk, we do see instances of unencrypted identifiers like email address being shared or accidentally disclosed.
Disclosure of data for sharing, analysis, and analytical purposes - Marketing teams may often extract, share, or even work directly on customer data sets for analysis purposes. Is that Excel sheet you sent via email password protected? Did it end up with the wrong person? Should you even be emailing customer data?
Lack of understanding on data assets and processes - fundamentals such as documentation, data models, governance processes and controls are often missing or poor. This creates risk in lack of understanding of exactly what is happening with data. There are also educational gaps in just how data can be used or leveraged in ways Marketing teams might not imagine.
Practical tips for Marketing teams to reduce risk.
A combination of common sense, questioning and continual review assist in minimising risk.
Here are a few practical approaches and areas to reduce risk:
Understand your data landscape – given there is not always a clear understanding of the data being used, where it is being used and who has access to it – understanding the landscape is critical. Data is also often fragmented or siloed which makes applying controls harder. One team can be hashing data, and another might not, one team might securely transfer data and one might just email swathes of CSV files. Don't have documentation or a data dictionary? That's another sign of lack of oversight or understanding.
A data audit and catalogue process are crucial. So is keeping those artefacts up to date.
Visibility is important, particularly in smaller organisations where teams can simply put down a credit card, provision a platform, and start using it.
Put controls in place - look at who does and doesn't need access to data. Understand to what extent data access is required for teams and individuals to perform their roles. Build controls either through process, clear policies or leveraging platform functionality to help minimise the accidental (or deliberate) misuse of data. Controls should extend internally and externally and be reviewed regularly.
Ensure clear controls, that they span not just use and processes but also enforce protections (like hashing or securing data) and consider monitoring and tracking.
Leveraging security in platforms - if you are using marketing or advertising technology - use as much in platform security as possible. This can range from encrypting data at rest through to fine security controls on who can access what. Make sure you are actively thinking about hashing or protecting identifiers and data being sent outside of your control.
Ensuring that your Marketing platforms meet general security controls (SOC Type 2, ISO and so on) and then using the security capabilities to their maximum.
Policies - do you and your partners (agencies and so on) have clear policies and processes with respect to technology and data security? Can you ask your partners for a technology security or data management policy? Do your policies clearly explain how data should or shouldn’t be transferred or used?
Having clear policies means that everyone knows what they should be doing to protect data.
Education - are teams regularly reminded of their responsibilities with customer data? Do you have structured training programs and education sessions to refresh or train new staff on the potential hazards and pitfalls?
The Martech and Adtech space move rapidly – we’ve seen in the past the misuse of data by platforms, and the theft or accidental disclosure of data – so educating and informing teams is important.
Clear responsibility and accountability - teams and individuals need to actively understand their roles and responsibilities in protecting or securing data.
When people are clear about their role in securing data, they will make it a priority.
A Final Word.
A frightening aspect of data breaches is that they can often occur and not be noticed – or go undetected for months (or even years).
Optus has been a car crash, but a visible one – therein lies the core of the risk associated with data management for Marketing teams – much of the risk is unseen unless teams make them visible and then prioritise controlling those risks.
If you would like to explore any of the themes in more detail – feel free to reach out to us.