With boards and organisations feeling the heat, is it time for marketers to analyse the customer information they really need and consider more innovative methods to connect with customers and prospects. One of the keys to building a successful sales funnel is understanding what your new and potential customers want. That means collecting and using information about your existing customers and curating a pipeline to attract new customers. While that data is critical for marketing success it’s also a valuable target for cybercriminals.
The days of collecting customer data and storing it for analysis ‘just in case’ are behind us. As well as obligations under the Privacy Act and the guidance of the Australian Privacy Principles, it does not make sense to hold data that puts a target on the back of organisations that hold customer personal identifiable information (PII).
Over recent months, Australians have seen their PII stolen by criminals in some of the most significant cyberattacks the country has ever suffered. In each case, there are important lessons for marketing departments around the country to take note of (if they haven’t already).
Lesson 1: Don’t Hold Customer Data You Don’t Need
A significant proportion of data that has been stolen in recent cyberattacks, it can be argued, should not have been held. Data for former customers or from business units that have been divested should be securely deleted.
If there are regulatory obligations to retain aged data, it should be retained in offline systems that are air-gapped from operational systems. That way, if an attacker does gain unauthorised access to systems, the amount of data they can access is limited.
Lesson 2: Have Your Systems Independently Security Tested Regularly
Cyber criminals employ a wide variety of different methods to breach defences and gain access to your data. In some cases, those approaches are well known, such as phishing emails. But in others, they might detect weaknesses that you may have missed or don’t even know about.
Independent security tests, such as those conducted by professional penetration testers, employ many of the same tools and methods used by threat actors to find flaws so you can proactively remedy them before an attacker exploits them.
Lesson 3: Invest In Creating a Cybersecurity Aware Culture
Most organisations engage in some form of cybersecurity awareness education. This might be an annual or biannual security training session that feels like a box ticking exercise to keep the compliance team happy. But cybersecurity culture is much deeper.
Investing in creating a cybersecurity aware culture means people embed cyber-safe practices into every activity from how tools are developed and acquired, through to how they log in to systems and what data they collect, share and use. Cybersecurity is not the single responsibility of any one person, we all have a role to play.
Putting These Lessons Into Practice
Some of the most valuable data that is stolen by criminals and sold on the dark web are identifiers such as passport, driver’s license and tax file numbers. The challenge for many organisations is that they are used to confirm customer identity. In several significant data breaches, this valuable PII resulted in millions of people needed to receive new identifiers at great cost and inconvenience.
The question marketing teams need to ask is “Do we really need this customer data?” If the answer is “Yes” then they need to question whether they need to store the data indefinitely once it has been used for identity verification. If not, it should be deleted immediately after it’s used. This process should be followed for every piece of data that is collected.
A cyberattack that leads to the loss of customer data from an organisation’s systems carries massive risk to brand and reputation. With boards and organisations feeling the heat, is it time for marketers to analyse what customer information they really need. Data that can be deleted or stored away from operational systems should be purged. And all systems should be thoroughly tested to ensure any previously unknown vulnerabilities are detected and fixed before criminals find them.