Data security is a critical, yet overlooked issue for creative agencies. Our latest article will show you why data security matters more than ever and how to get better at it.
On June 27, 2017, WPP was hit by a ransomware attack that crippled several of its companies.
Although WPP was quick to contain the attack, it still cost them an estimated £15M while also disrupting their operations for over two weeks.
WPP, of course, can absorb a £15M loss, but can your agency say the same?
This is the reality agencies have to face today. In a world where data is the new oil, your ability to secure your clients’ data isn’t just important for operations, but also a competitive advantage.
As consumers worry more and more about the safety of their data, brands will increasingly choose agency partners who can promise that their data security won’t be compromised. Strong security practices used to be “good to have”, but they’re now becoming a “must have” for any agency chasing large accounts.
This is precisely the topic I’ll tackle in this post. I’ll show you why data security matters more than ever today, and how to get better at it.
Why Data Security Matters More Than Ever
As an agency leader, you already know that data is the future. While creative is still your strength, more and more clients want decisions backed by data. As AdAge notes, the future will be “about marrying creativity with data”.
And there is so much data. Terabytes and petabytes of it. From Facebook to your website to IoT devices, there is more data than brands actually know what to do with.
This vast amount of data, along with changes in the way agencies work, have made data security more important than ever before.
WPP’s statement released in June 2017 following the data breach
I’ll share my list of the top four reasons why securing your data should be a key focus for your agency in 2019 and beyond:
1. Changing work culture
Agencies, for all their Bohemian creative spark, used to operate like any other business. Employees would come into the office, work on their systems, and clock out. Security was simpler since IT only had to maintain the on-premise systems.
As a modern agency leader, you know things are vastly different today.
There are three phenomena driving this “difference” today:
- Remote work: More and more agencies are eschewing the traditional office setup in favor of remote work. While this can save you money, it also increases your risk profile - remote workers don’t always have access to secure networks.
- BYOD (Bring Your Own Device) policies: On paper, the idea of “bringing your own device” to work is great. You don’t have to invest in expensive IT infrastructure and people get to use their favorite devices at any time. But there is also a huge risk - not all devices are updated at the same time. A single device running outdated software can leave you vulnerable to hack.
- Freelancers: As agencies increasingly turn to freelancers and subcontractors, data security becomes a challenge again. Your people might have the most recent, safest version of a software, but can you say the same for your subcontractors?
Small businesses are increasingly turning to freelancers as this LinkedIn survey shows
Increasingly, these new policies are becoming the default way work happens in agencies. While it might be great for saving money and increasing flexibility, it also increases your risk profile substantially.
2. Multiple points of failure
If you were a creative web development agency in 2004, your work would largely consist of creating a client’s website.
Today, that same shop might have a website, a blog, multiple apps, IoT devices, Alexa skills, and social media profiles for the same client.
As the breadth of work creative agencies do has increased, so has the potential for failure. The more assets you have tied to a client, the more entry points a hacker has to the client’s data. You might have secured the website, but can you say the same about the IoT app, the Android app, and the blog?
For example, most WordPress hacks happen through compromised plugins, not brute force attacks (where they guess your password). Hackers find an outdated plugin and use that to gain access to your entire WordPress system.
It doesn’t help that more and more agencies rely on frameworks that they don’t own or control. You might have made your blog 100% secure, but if a new WordPress update breaks its security protocols, you’re made vulnerable.
Throw in the fact that brands often have a presence on platforms that are no longer active or regularly updated (Windows Phone, anyone?) and you have a recipe for a security disaster.
3. Changing legislation
If you were to time travel to May 2018, you would find agencies around the world in a state of panic.
Why? Because the implementation date for the General Data Protection Regulation (GDPR) was right around the corner (May 25, 2018).
GDPR is likely only the first of many future laws that will inevitably be passed to control how businesses capture and secure data. The concerns - mostly legitimate - from privacy advocates has ensured that the conversation has shifted in favor of more regulation and control.
In this situation, agencies that can anticipate these legislative changes and bake security into their data policies stand to win. A brand would much rather work with an agency that always secures its data than one that scrambles to respond to legislation every few months.
4. Clients (and their customers) want it
The biggest reason to focus on data security is also the easiest to understand:
Your clients - and the customers they serve - want it.
From Target to the Starwood-Mariott data breaches, customers are increasingly wary of the way their data is collected, stored, and handled. In fact, a survey by StopAd found that 94% of internet users were “somewhat” or “very” concerned about their privacy.
In this environment, brands that can promise to keep their customers’ data secure stand to win big.
Given that hackers often look to weak third party links (such as agencies) for vulnerabilities, any agency that can promise its clients better security has a competitive advantage.
While it is clear that investing in data security is important, the question still remains - how do you actually go about it?
I’ll share some answers in the next section.
How to Improve Your Data Security Practices
There is no “once and done” solution to data security. You can’t build a secure perimeter and call it a day. New bad actors and vulnerabilities emerge every day.
Your approach to data security, thus, must be both comprehensive and proactive. You have to build operational machinery that can withstand breaches without coming to a halt. You also have to actively analyze and fix weak spots.
Let’s look at a five step plan to build data security into your agency operations:
1. Analyze your software systems for vulnerabilities
Data security mishaps usually happen when hackers find their way into your system through a single vulnerable entry point. In WPP’s case, it was a known security lapse in Windows.
Your first step, thus, should be to take stock of your software stack:
- Make a list of every single tool used across your agency, regardless of department or location.
- Specify when each tool was last updated, and whether it is currently being supported by the developer
- Analyze data sharing across these tools. How do different tools interact with each other? What kind of change permissions do they have?
A single outdated, unsupported tool can undermine your entire system. By analyzing your software stack, you can spot these outdated tools and switch to more secure alternatives.
At the same time, also consider how your systems are connected with each other. Limit change permissions as much as possible. That is, unless absolutely necessary, limit tools to just “read” data, not modify or delete it.
For example, you might have a system where you enter data into a spreadsheet which is then imported into your CRM. In this case, the CRM needs “read-only” permissions. If the CRM does get compromised, the lack of editing privileges would mean that hackers can’t actually get to your spreadsheet.
Using a more integrated management system can also help. It’s not always possible to keep dozens of separate systems updated. But with an integrated system like Workamajig, you just have to update one software to keep your entire agency secure.
An integrated system like Workamajig brings all your agency’s functions under a single dashboard, making it easier to manage and secure
2. Review your data sharing and usage policies
Like most agencies, you have subcontractors, freelancers, and remote workers working alongside your regular employees.
How you share data and access across these workers has a big impact on your security.
Think of a freelancer using a pirated version of Photoshop. You give him full access to your Dropbox to share his work. A single compromised PSD file infects your Dropbox, giving a hacker access to all your stored data.
The solution to this problem is to:
- Review how you share data and access to critical systems with freelancers
- Review your BYOD (Bring Your Own Device) policies, especially with respect to remote workers
- Create rules that clearly define what systems freelancers get access to, and how remote workers can connect to your internal systems.
For example, you might have a system where freelancers get read-only access to your most important systems. Trusted subcontractors with proven security practices get limited editing rights. And remote workers have to log into a secure network before accessing critical data.
Another practice you can adopt is to revoke access after a certain period of time. Say, once a freelancer has accessed a file, permission to use it is automatically revoked after 30 days.
Your goal should be to isolate your data as much as possible from outside workers. Give people access to only the data they need, and only when they need it.
3. Build data security into your risk management plans
We’ve blogged about the importance of risk management for the success of every project. While everyone talks about clear communication and better leadership, data security is seldom a feature of risk management plans.
This leaves you with limited options in case of a data breach. You (or your project managers) don’t know who to reach out to, how to limit the damage, and how to safeguard the rest of the project.
Going forward, make data security a key part of your risk management approach. Treat it like any other risk and specify the following:
- Potential security threats (such as a stakeholder clicking on a phishing email) and what systems they might affect
- Safeguards and “kill switches” in case of a data breach
- Critical systems and their security protocols (such as 2-factor authentication system to access data)
- Proactive measures in case of a data breach, including specific people to contact
At the same time, it also helps to build a knowledge base of data security risks. Use one of the four risk identification tactics we listed here to figure out potential issues.
Once identified, develop a mitigation plan for each of these issues. These must cover immediate, short-term, and long-term solutions.
For example, if one of your identified risks is a compromised Dropbox/Google Drive/OneDrive account due to a phishing email, your risk mitigation plan would be:
- Revoke usage access to the compromised system (Immediate)
- Move to a more secure file storage system (Short-term)
- Build an in-house file storage system (Long-term)
4. Train your employees to identify and avoid security threats
When people think of a data breach, they usually think of a Matrixesque figure coding his way into secure systems.
In the real world, hackers don’t look like extras from The Matrix. Instead, they use social engineering and simple phishing tactics (Image source)
But a majority of data breaches are a lot less exciting. They’re carried out not by sophisticated programming but by social engineering and simple phishing tactics. In fact, a study found that 81% of data breaches simply used weak passwords, while 43% used social attacks.
While you should definitely build up your security practices, it is critical that you also train your employees to spot these “hacking” tactics. Conduct a workshop or two. Make data security a part of new employee onboarding. And have company-wide rules on what kind of links, texts, and emails to avoid.
It is far easier to prevent a hack in the first place by educating your employees than to fix the aftermath of a data breach.
5. Build your data security team
Do you have a data security officer? An IT team that knows how to isolate and fix data breaches? A security partner that’s constantly testing your network for vulnerabilities?
If you’re like most agencies, your answer to these questions is likely ‘no’.
In this data-driven age, agencies can’t really ignore data security-focused positions. A Head of Data Security should be as much a part of your organization as a Head of SEO or a Head of Content.
After all, if all your creative work springs from data, shouldn’t it be a priority to safeguard the data as well?
Of course, while all of these are long-term solutions, you shouldn’t ignore simple, short-term fixes. Easy steps such as enabling 2-factor authentication, using HTTPS, etc. can improve security drastically.
In the long-run, employee education, more secure software, and better security practices should be your top focus. Do these and you’ll save your clients’ data from security breaches and give yourself a massive competitive advantage.
Try switching to a more secure integrated software like Workamajig. Click the link below to get a free demo and see it in action yourself.