Recent Data Breach Heightens Focus On Email Security Measures
- Published in Data Management
The high-profile data breach Epsilon Interactive reported April 1 caused quite a stir, as the company noted on its web site that “a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system.” BtoC brands including Best Buy, Kroger and Walgreen were among the estimated 2% (of Epsilon’s approximately 2,500 clients) affected by the attack.
While the breach was primarily limited to BtoC organizations, industry experts caution that the incident should serve as a serious wakeup call to BtoB firms. Realizing that a breach like this could have even deeper implications for BtoB organizations, many vendors have been taking proactive steps to help their customers secure email data.
“BtoB clients should be just as concerned if not more because of the larger impact those potential leaked contact points could have if hackers gain access to them,” noted Dennis Dayman, Chief Privacy and Security Officer at Eloqua. “In many cases, BtoB contact points could or do have access to critical and sensitive infrastructures that either large corporations or the world rely on. Unauthorized access to those BtoB systems could have a wider negative effect on things like the economy or to life saving systems.”
As a result of the recent Epsilon data breach, marketing automation vendor Pardot announced that it will begin requiring activation for any unrecognized IP address from which customers access the application, to prevents others from accessing individual accounts in the event that they discover a user’s Pardot username and password.
“Prospects should ask vendors how they protect the accounts that their support team uses, both for the application and their individual email accounts,” said Adam Blitzer, Co-Founder and COO at Pardot. “Similarly, how will the prospect's account be protected once they become a client?”
While the tactics and measurements companies can take to protect customer data are extensive, experts advise marketers to be mindful of the following 3 key security tactics:
- Password Management- “Most intrusions happen through the ‘front door’ versus obscure technical ‘back doors,’” noted Joe Colopy, CEO of Bronto Software, an email service provider. “Email Service Providers (ESPs) should have flexible settings that require customers to have ‘strong’ passwords that are changed periodically.”
- User Management- “Not all account managers need full access to all accounts or systems,” according to Eloqua’s Dayman. “Many ESPs support personnel have full access to all customers and the databases because it creates short time to address customer needs, but in reality doesn’t truly save the company much more time in having to deal with situations where the data has been breached. What should happen is that certain support personnel have certain access to certain data, but not all.”
- IP Restrictions- “A way to [make intrusions more difficult] is by restricting the IP addresses that one can use to access the application,” according to Bronto’s Colopy. “The typical restriction would be the IP addresses of one’s office so that would make it difficult for the intruder to enter with one’s username and password from within the office network.”
Another strategy vendors pointed to is encrypting data fields to ensure the security of Personal Identifiable Information (PII). “Many ESPs don’t treat email address as PII when they should be,” Dayman said. “An email address today is just as important when connecting to someone as an identify point.”
Genius.com has designed its system to keep Salesforce data within Salesforce, and the company does not replicate any of that sensitive data. “With the number of relatively inexpensive SaaS solutions out there, companies tend to link multiple solutions with multiple databases,” said Sam Weber, CEO of Genius.com. “So if one of the systems is breached, any data replicated in that database is exposed.
While more organizations migrate to the cloud to operate more efficiently, SaaS application adoption has increased, which has made it more difficult to secure Internet-hosted information and networks. “With the growing acceptance of SaaS solutions, there seems to be a new level of blind faith,” according to Weber. “So before you jump in blindly, ask the hard questions about security, up time, scalability, etc. It's amazing that if you scratch the surface of some of the ‘top players’ in the SaaS space, you will see that they haven't invested much in their infrastructure and many don't even run and maintain their own servers.”
In addition, vendors suggested ESPs should employ multi-factor authentication, no only for employees, but customers as well. “Today, many employees have a simple password that gives them enormous access to customer’s data,” Dayman noted. “To date, you can see that most ESP breaches occurred because an employee with to much access had their PC infected with malware giving the hacker access to simple passwords to the systems. With multi-factor if the employee was infected; the password access would change quickly not either allowing the hacker access or the account access session would expire their access often.”
“Breaches likely happen because individual power users or support employees likely had their passwords compromised,” said Pardot’s Blitzer. “Companies should be using additional security layers to protect these accounts, such as two factor authentication (where you have to enter a code that is updated in real time on your mobile phones, similar to a VPM key, in addition to your password) and IP level security (i.e. access from unrecognized IP address must be white listed).”
Experts agree that having a “breach response plan” in place is vital to be prepared to assess and repair damage. “[Coordinate your plan with all relevant departments] so that a quick response can be made,” advised Josh Aberant, Director of Privacy at Marketo. “You don’t want to be figuring out your plan after a breach occurs.”
Aberant said organizations should be prepared for “two main attack vectors” that hackers will use in breaching — technical attacks and social engineering attacks. “You need to be ready to repel both,” he said. “Companies with great security technology have been breached by social engineering so it’s important not to ignore this.”
CALLOUT: 5 Key Considerations To Mitigate Risk
- Avoid multiple redundant databases whenever possible;
- Have systems and internal team members in place to watch networks and servers for break-in attempts or unexpected changes;
- Consider having a security/privacy officer to keep abreast of security issues and policies;
- Inform prospects how accounts will be protected once they become a client;
- Ensure anti-virus and anti-phishing solutions on all employee computers or terminals are up-to-date.