By Ryan Deutsch, VP Strategic Services, StrongMail
E-mail marketers constantly discuss concepts like relevance, lifetime value, dynamic content, automation and delivery. But what about the more mundane topics like data security? In the last few months, consumers have received a number of notifications explaining that security failures have compromised e-mail addresses and provided third parties with potential access to digital identities.
When brands are asked about the importance of data security, all will explain how serious they take protecting subscribers' personally identifiable information (PII). However, many seem to place security below the line when looking at their e-mail programme investment. Financial services firms seem to be the only exception to this rule. Underestimating the importance of data security within the e-mail channel can be a huge liability. Now, more than ever, e-mail marketers must establish a level of trust with subscribers.
E-mail alternatives (the social web, mobile applications, and communities) are rampant, and consumers are constantly reconsidering the best way to interact with brands. E-mail marketers must also realise that most sophisticated programmes use a material amount of PII in campaign execution. PII is defined as information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. E-mail address alone is categorised as a digital identifier and considered PII. Add to that everything from browsing behaviour to transaction history, and an e-mail database can quickly become home to significant amounts of PII.
Given the amount of press on the topic in recent months, it is critical for e-mail marketers to take a close look at how data security, and the related trust between brand and subscriber, is prioritised within programme management.
E-mail marketers (and the companies that support them) should not panic at the recent security issues facing the industry. In general, e-mail marketers have done a good job protecting the subscription and preference data that forms the basis of the permission marketing channel. That said, there are a few things that all brands should consider immediately.
Risk assessment: Like anything else, investment in security around e-mail data should be based on the corresponding risks around data loss and illegal access. All brands, regardless of size, risk consumer mistrust and list attrition in the event of a data loss. This means that brands relying on e-mail for top-line revenue must take data security seriously. In addition, large brands often find themselves susceptible to litigation as consumers and activists groups seek to take advantage of "deep pockets" via the courts. These companies should take extra precautions against data vulnerability. Finally, there are serious legal consequences to specific industries like financial services if PII is not kept safe. Companies in these industries should be extremely careful and in some cases consider ‘insourcing’ as the most appropriate option.
Ask information technology for an audit. Most large firms in Europe and the United States take data security seriously. In fact, there are often individuals and entire departments tasked with keeping consumer information secure. These teams tend to focus on internal systems that are deployed within the corporation's firewalls. Any new service or solution deployed internally for the business should be approved by the IT security teams. This is a double-edged sword. The additional scrutiny results in more secure data, but the price of increased security can be delayed time to market. This issue becomes very complex in the e-mail marketing space as many brands leverage software-as-a-service offerings to create, deploy, and track e-mail communications.
E-mail marketing owners within a brand should invite their internal IT teams to meet with their service providers and apply the same strict guidelines to the ESP as they do to internally-deployed technologies. To put a fine point on it, according to a survey conducted by the Society of Corporate Compliance and Ethics (SCCE) and the Health Care Compliance Association (HCCA), 70% of compliance professionals feel that their organisations are well or very well prepared to fend off malicious hacker attacks; however, their confidence wanes significantly when assessing other data breach threats. For example, 41% felt it was very or somewhat likely that an accidental breach could occur by third-party vendors. Internal IT teams can help the e-mail marketer and their vendors feel more secure.
Third-party audits. For those brands where compliance or other factors require a serious commitment to data security, they should consider investing in penetration testing (PEN testing) via third-party solution providers. These third parties can help in the solution design process, making sure that brands not only understand potential security weaknesses but also how to minimise them.
The simple fact is that all systems are susceptible to malicious attacks. As advanced e-mail marketers, it is our responsibility to minimise the chances the "attackers" have when targeting our systems. In the wake of recent events, take a look at your e-mail technology and the data it connects to and ask yourself to what degree system security was audited by your internal teams or third parties. If the answer is unclear, prioritise a security review today.
Check out 12ahead, our brand new platform
covering the latest in cutting-edge digital marketing and creative technology from around the globe.
12ahead identifies emerging trends and helps
you to understand how they can apply to modern-day companies.
We believe 12ahead can put you and your
business 12 months ahead of the competition. Sign up for a free trial today.