How to stop your customers' data being stolen
10 checks to ensure your agency is responsible with your customer data.
If we, as an industry, take anything from the data leaks at TalkTalk, British Gas and Morrisons, it should be that we must take every measure we can to secure customer data. Offering customers a more personalised experience means providing an environment where they are confident that the information they provide will be safe. Collecting and storing customer data and finding out more about your users is key to generating leads and gaining customer insight. But in the rush to get campaigns out the door and find affordable ways to create your digital products, ensuring third parties don’t risk your customers’ privacy and your reputations can be overlooked.
Not only do data breaches expose your customers to potential phishing, fraud and social engineering attacks, these days managers' and execs' jobs can be at risk if they are found to have been negligent with security.
If you want your data to stay safe and keep your job, here are some of the basics questions you should always ask:
1. Are you sending unencrypted data over the internet?
There is no excuse for sending data unencrypted over the Internet these days. The cops might not like it, but encrypting everything goes a long way to safeguard your data from eavesdropping as it flies across the Internet.
Ensure your web pages are all on HTTPS
Ensure APIs are over HTTPS
Ask for end-to-end HTTPS if you use a CDN or proxy, otherwise it might only be secure for half the journey
SSH and SFTP should be instead of services like telnet and ftp; this is not the 90s!
Use 2048-bit SSL certificates for your HTTPS
Use a good quality verified SSL certificate when you really need the data to not fall into the wrong hands.
2. Does your agency send you collected data without encryption?
Too many times we’re asked to send the results of a data collection or a customer database to a client via email for it to sit evermore in their inbox unencrypted. This is not only risky during transit, but means if their mail is ever hacked in the future your customer data could be exposed. Ideally all data transfers should be considered and built securely into the workflows you use. Data should be either pushed over an encrypted channel via SFTP or HTTPS to a safe and restricted destination for processing, or downloaded from a secure web interface that requires authentication and again is protected by HTTPS. However, that is only half the story if the data is then going to sit on a server or someone's laptop, data should be encrypted and only decrypted on use, after which the unencrypted version should be deleted permanently. Sticking it in your trash is not good enough! The most secure way to do this is with something like PGP which allows you to both sign and encrypt which keeps it safe, confirms it was sent from a trusted source, and can only be unencrypted by the intended recipient. While there are plenty of PGP tools out there, it is quite an effort to get setup and create ‘keys’ and trust groups and often it is not possible to install software on your users' desktops and give them the training to use it. An alternative method we often use, when PGP is not possible, is to compress into a password protected ZIP file. ZIP tools are installed by default on most Mac, Windows and Linux desktops these days. The password then must be sent via another medium; SMS, phone or in person. While this doesn’t protect against some forms of eavesdropping it will prevent the file being picked up from your desktop or email server and accessed directly. Word and Excel have built in password protection which you can enable when saving to disk and this is the most compatible form of encryption, but only works on those Microsoft file formats.
3. Is your application built with the most up-to-date version and the latest libraries?
If you use a popular CMS such as WordPress or Umbraco then it becomes a prime target for data theft the second a security exploit is discovered. CMS and software vendors try to keep exploits secret for as long as possible to reduce the impact of this kind of attack. However, it is certain that if you don’t keep your CMS and software versions up-to-date your service and the data stored within will become exposed. Even if you have a custom-built application, the libraries used to build it could leave you exposed, as in the case with the recent ImageMagick exploit.
To stay safe do the following:
Ensure someone is following the security advisories for all your software, especially your front of house CMS and web stack. E.g. https://wordpress.org/news/category/security
To mitigate against the cost of major updates, ensure your developers choose software that has a history of providing a long life of security updates, ideally with LTS (Long Term Service) releases. This should make updating when there is an exploit much easier.
4. Is your hosting secure and up-to-date?
In additional to your application software the physical or virtualised hosting environment should also be kept up-to-date. This means both the low-level operating system that runs your CMS or application to the firewalls, proxies, CDNs and routers that sit in front. There is a constant stream of security updates to this part of the stack and you need to be certain that someone is taking care of applying these updates.
Again, insist on LTS operating systems to keep the costs down. E.g. https://wiki.ubuntu.com/LTS
You should receive notifications when your OS or firewall needs to be patched, if you have a redundant setup this shouldn’t cause downtime but may be considered at-risk. We would issue an ‘At-risk’ notification to our clients whenever security patches are to be applied. If you aren’t hearing from your agency/hosting teams about updates then they might not be looking after your stack with enough care and attention.
Either monitor or ask to see evidence that your hosting stack is being audited for security updates.
Expect to need a major update at least every four years. It is unlikely that hosting equipment and software will being kept up-to-date for more time than this. If your setup hasn’t been touched for over fours years then it’s time to perform a thorough review and possibly time to update or replatform.
5. Who has access to your data? Contractors, temps, junior members of staff.
A responsible agency will allow only those who need access to access your data. Ask to see proof of their data protection policy. If you speak to project managers or direct to developers who seem to be able to easily get their hands on full extracts of data or passwords; it is a sure sign that your customers’ data privacy is taken for granted. It might be convenient, but there should be some red tape, escalation or authorisation required before customer data is sent or transferred.
6. Do a bit of due diligence
Create a security questionnaire that all third parties must complete before commissioning work. Your organisation may already have one, or even have a compliance team who can help vet potential agencies.
7. Reassuringly expensive
It’s not just lager that is worth paying a little more for. If you are paying well below market rates for digital work it might make you a star in your FD’s eyes but responsible security requires a little more effort to support the processes, follow compliance and ensure technical implementations. You get what you pay for; if customer data is involved then use a trusted and reputable agency.
8. Security audit
If the digital product is going to be long-lived, or even if it is short-lived but will have a lot of customer data going through, getting a third-party to check the security and implementation could save you a lot of embarrassment, especially if you are an organisation that has been open to attack or hold information that groups would love to get their hands on.
9. Don’t give customer data to anyone in the first place
Track behavior or collect extra information against an anonymous ID that only you or your insights team can marry back to the customer's personal details. Far too often we are offered up all of a client’s customer-data since the beginning of time to crunch or report on. This is not only risky to send, but once it is on a third-party mail server/file server/dropbox etc. that data could be exploited in the future if the agency or even if an employee of that agency is compromised. A security conscious agency should push back at any offer to send private data and work out innovative solutions based around anonymity and security while still meeting your business requirements. If private data has to be sent, they should advise ways for it to be sent securely and let you know exactly by who, and how, it could be accessed.
10. Look for compliancy certification. PCI, ISO 27001 etc.
Compliancy doesn’t guarantee safety, but it is a good indication that your supplier has taken the time to ensure the security of their systems and processes. Larger agencies are likely to have this built in, but it is still worth checking some of the points to ensure it is being put into practice.
Ask any cyber-security expert and they will tell you that it is impossible to provide complete guarantees. However, as I’ve outlined above, there are steps that you can take which will minimise risks and establish a strong framework for working with partners to keep your data safe.
If you have any questions or concerns about your digital solutions - be it around security or something else - Clock can help.