[BreachExchange] 4 Ways To Avoid Data Breaches Through Sales And Marketing Alignment
Destry Winant
destry at riskbasedsecurity.com
Tue Aug 21 00:36:23 EDT 2018
https://www.forbes.com/sites/jenniferdavis/2018/08/20/4-ways-to-avoid-data-breaches-through-sales-and-marketing-alignment/#5dc13cc33c80
Data breaches and privacy vulnerabilities splash across the headlines
each week and cost businesses millions and some of the blame may lie
in the misalignment of sales and marketing.
These announcements unseat executives, obliterate market value, shake
the confidence of customers, necessitate awkward Senate hearings, and
damage the brand for the long term. All of us can think of companies
that have been adversely affected by this violation of trust, and the
impact is significant across industries.
According to the 2018 Cost of a Data Breach Study by Ponemon,
sponsored by IBM IBM +0.31%, the average cost of a data breach in the
US is $7.91 million in direct and indirect expenses and another $4.2
million was the average loss of business following a breach. But even
for smaller incidents, each stolen record costs the business $233,
which is up 4.8% since last year. It doesn’t take many compromised
records to have that figure add up.
And perhaps more shocking, the average global probability of a
material breach in the next 24 months is 27.9%. That means, nearly a
third of companies will have a data breach next year, which means that
nearly a third of customers could be victims of data vulnerabilities.
As you might imagine, the faster the data breach can be detected, the
lower the cost and brand impact. Companies that identified a breach in
less than 100 days saved more than $1 million than their peers that
took the average of 197 days. But better yet, companies can avoid
costly breaches by evaluating their systems and processes and
preventing problems from ever occurring.
How does this relate to sales and marketing misalignment? The Data
Breach Study attributes 27% of breaches to “human error” and 25% to
“system glitches.” These combine to cause most data vulnerabilities.
Because the systems used by sales and marketing contain some of the
richest customer data and largest user populations with access to data
they represent a significant business risk hiding in plain sight.
Here are four areas in which you can assess your risk of a breach and
some best practices to address each:
Beware of Separate MarTech and SalesTech Stacks
If you hang around a modern marketing organization you will hear terms
bantered around frequently: CMS, marketing automation, sales
enablement platforms, e-commerce, customer relationship management or
sales force automation tools. These are often abbreviated “MarTech”
(as in Marketing Technology) or SalesTech (Sales Technology). And it
is not uncommon to have these systems in organizational silos without
integration, data synchronization, or a common view of the customer.
“Multiple applications, in many cases, have duplicate data to
accomplish the same objective,” commented Joan Netzel, CPA and
professional board member, former group vice president and internal
auditor for SunTrust Banks and former CFO of the New Mexico Mortgage
Finance Authority. “One key risk is that the data is not accurate from
system to system, which poses a problem with reporting and decision
making.” This has implications on the customer experience, management
effectiveness, compliance with GDPR and other regulations, and the
ability of the organization to fully leverage relationships, but it
holds another risk: it can make your systems more susceptible to data
vulnerabilities. Companies are quick to overlook the data breaches
that happen every day when territory salespeople leave the company and
take contacts and contract details of clients with them on their
personal devices.
Actions you can take: Look closely at the integration or duplication
of systems between sales and marketing and the access rights to each.
Often misalignments in annual objectives and management styles can
manifest in system proliferation, each with a different set of access
controls. And don’t forget the hidden sales systems that exist in
employee’s email inboxes, contact directories on their phones, shared
drives, or on spreadsheets, outside the formal CRM systems.
Beware of System Proliferation
It is not uncommon in large companies or companies that have grown
through acquisition to have a number of competing systems all in
simultaneous operation. One company may have dozens of separate CRM
instances or point solutions in the sales and marketing space, across
multiple vendors and hosting models. With this disarray in their
system ecosystem, vulnerabilities around data usage and access are
often hidden in the mix.
Plus, the features of these robust and expensive platforms go
under-utilized. As author and consultant David Taber wrote for CIO
Magazine “no amount of ‘best in breed’ features will make a difference
if their data is an uncoordinated mess.”
Furthermore, systems tend to multiply when governance is not strong.
In organizations of all sizes, shadow IT organizations (or “hidden
factories”) can build and implement solutions in the organization
without explicit organizational approval. This is becoming
increasingly easier in a world of cloud computing or when applications
are offered in Software as a Service (SaaS) business models, where
anyone with budget authority can implement solutions, without the
technical expertise previously required for on-premises installations.
This ease of database provisioning and application deployment in the
cloud has real benefits to the enterprise, of course, but it can
exacerbate organizational dysfunction. And the ubiquity of API-style
connections between tools makes sharing sensitive data with
third-parties easier than ever before.
Actions you can take: Building on the investigation above, conduct a
full inventory of the systems used at your company that store or share
customer data of any type. Review the data policies of your vendors.
You will likely be shocked by how many systems are in use and can put
a plan into place to streamline and consolidate as required.
Beware of System of Record and Data Ownership Ambiguity
“Decisions around technology platforms need a holistic approach,”
continued Netzel. Never is this truer than when companies are
determining their systems of record: the computer system or
application which will serve as the company’s authoritative data
source for customer data. Not the pet system of one department or the
other, but for the enterprise as a whole. “The customer demographic
data regarding sales and products, need to be in sync with the system
of record and a reconciliation of that data in separate systems needs
to be designed and performed periodically,” Netzel advised. It is
critical that each system has a “data owner who is responsible for
determining who has access to the data and for how long,” explained
Donna Gallaher, an IT and cybersecurity advisor who holds active
CISSP, C|CISO, and CIPP/E certifications. “That data owner should be
tracking exceptions and ensuring that access is removed when no longer
needed, even though IT or the security team implements the controls.”
Actions you can take: Go to your ecosystem inventory and ensure that
every system has a unique and defined purpose and a data owner that
has defined processes for access controls. Once you know how many
systems you use and which you intend to serve as the system of record,
you can decide which should be phased out of operation, which could
not only lead to reduced risk, but reduced costs as well.
Beware of Ill-Defined Security Policies
It is not uncommon for companies to have an employee manual or other
documents which outline behavior expectations of their employees, but
many companies do not have a written security policy that covers
topics beyond acceptable use, to include password and encryption
standards, data retention standards, access management procedures and
other critical elements. “A key element of a security program is the
maturity of a company’s employee and contractor onboarding and
offboarding process,” Gallaher offered. “Access rights should be
defined for each job role, and there should be procedures in place for
granting and removing access to all required systems.” This requires
another system of record to be defined for employee data. “Typically,
either Active Directory [email and network access system] or the HRIS
[human resources information system] is the system of record with one
system feeding data into the other,” she continued. “It is important
for companies to determine which is the system of record and who owns
the data, and to design the rest of the processes for granting and
removing access rights around that system of record and data owner.”
Actions to take: Gallaher suggests that “everyone should have
security responsibilities in their job description” and understand
what systems and tools they need for their role and how to secure the
data in those systems according to the policy.
In summary, “the most important thing is to decide on your system of
record and to assign a data owner,” Gallaher offered. However, data
vulnerabilities and risk assessment can not be delegated. The
responsibility must be shared across the enterprise. “It is common for
businesses to try to shift risk to the IT or security organization,”
Gallaher added, “but the business always owns the risk.” No matter who
works on the systems or administers policy, the business ultimately
owns the impact. Sales and marketing must align, with other groups
and interests of the business, to ensure the systems they use every
day, to communicate with customers or track the sales pipeline, don’t
end up costing the business a breach.
More information about the BreachExchange
mailing list