By Daniel J. Murphy
I've been meaning to write this post for a while. Cybersecurity is a really important topic, yet very few are writing about cybersecurity specific to marketing teams. That's probably because marketer's don't take security seriously enough. After you've been hacked, you'll really regret not taking basic measures to secure your data. At my last startup our engineering team was adamant about always improving our security procedures. That extended beyond engineering into marketing, so I learned a lot.
This post is a five minute read with basic security 101 tips to minimize your marketing team's vulnerabilities.
Why is cybersecurity important to marketing teams?
Think about your company's most recent evaluation. $100m or something? $300m or something? Where is that value? For the purposes of this post, let’s summarize the value in three parts: The team, the product, and the business you are doing. Which of those is most vulnerable to a hacker stealing for monetary gain?
The team? Well, no one is going to come kidnap your team from the office. That’s just not likely.
Nor is it reasonable to assume the greatest vulnerability is someone stealing your product. Not with the high security of cloud computing services like AWS. On top of that, if your company is worth hundreds of millions of dollars, you probably have a team of DevOps engineers whose sole focus is the security of your product, right? Not to say that hackers are constantly targeting your product, it's just not the most vulnerable valued part of your company.
What about the business you are doing? What’s vulnerable there? Someone with bad intentions would love to steal your leads and their personal information. If you have thousands, tens of thousands or hundreds of thousands of leads, you are a target for hackers and you’re probably more susceptible to an attack than you think.
While your title might say marketer, you should also consider yourself to be security. Your vault of lead's personal data should be as secure as possible. Luckily, there are plenty of tools and best practices that can help you secure your vault.
1. Set up 2FA for your accounts
One of the best security mechanisms for software technology is Two-Factor Authentication. If you're not using this today, two-factor authentication requires a user to connect his or her mobile phone number to an account, such as email, as a way to confirm on two different components his or her identity.
How does it work?
When you log into your account you are sent an SMS text with a numerical code that will unlock your account and is only good for about thirty seconds. That way even if someone obtained your password, they wouldn't be able to sign into your account without physically having your phone too.
Most enterprise software products offer 2FA with their products for free. Set up 2FA for all your accounts such as your CRM, CMS, Slack, Twitter, and anywhere else where sensitive data lives.
What if the product you’re using today doesn’t have 2FA?
Request it. Reach out to their support team or jump onto their forum and write a post. It’s surprising that even some of the major players in marketing automation, CRM and CMS platforms still don’t have this really important security feature.
2. Use a password manager with randomly generated passwords
Hackers don't just write sophisticated code that somehow grants access to password databases and thus access to accounts.
Maybe you watched this scene in Swordfish and thought that's how all hackers did it? No.
Some hackers just find personal information about you, like your street address, your family’s favorite vacation spot, or perhaps the name of your childhood pet. With enough attempts they can figure out the password. So how do you prevent a hacker from guessing the right password AND still be able to remember it? Try using a password manager app like 1Password, Dashlane or LastPass.
With password managers there is only one entry point (the password manager) with hopefully a very strong password that you can remember. From there all your passwords are saved within the secure vault of the password manager. With these managers you can set your passwords to randomly generated words, letters, numbers and symbols that your manager will remember. Most password managers have browser extensions, so when you log into any of your accounts, you can log into your manager and select the account which will autofill the password.
Are randomly generated passwords in password managers a suitable replacement for 2FA?
No. Passwords managers are using only one component (your computer) so they aren't a suitable replacement for 2FA. Password managers do however have functionality to work with 2FA, making the process a bit easier on you, but still very difficult for a hacker.
3. Don’t save passwords on your browser
After you’ve setup your password manager, there’s something important you want to do. When you fill out the account credentials to access one of your accounts, you get a prompt from your browser asking “Remember this password?” from now on, always click “Never.” If you were to forget your computer at a coffee shop, on a plane or somewhere else, you wouldn’t want to make it easy for someone to get into all your accounts.
I know it’s not easy to remember all your passwords, especially as you should have many that you use. But having a password manager solves this issue, so there’s no excuse for saving login credentials to your browser.
If you have saved these passwords on your browser in the past, to erase them navigate to your browser's settings and look for "manage passwords." You can also Google "how to clear my browser passwords for <browser name>" and find step-by-step documentation.
4. Be careful opening your emails
One of the most common types of cybersecurity attacks is called email phishing. In a phishing attack, a hacker has disguised themselves as a reputable company and is attempting to allure you into downloading a file or filling out a form on their website via an email.
As marketers we both send and receive a lot of email. So we’re often quick to investigate an email by skimming it and clicking a link. Before you click anything in a suspicious email, check the links. What’s the domain of the link? Does it match the sender’s domain?
Phishing is not longer just Nigerian princes asking for donations. It’s difficult to spot phishing attacks because they are becoming very sophisticated.
Just this year, a phishing attack made headlines after attackers sent emails that looked like an invite to a Google Doc. Anyone can stylize an email to look anyway they want, including an invitation email for Google Docs.
This attack allowed hackers access to victim's email and to their address books. For marketers, hackers gaining access to email could mean really bad things. Have you ever shared a list of contacts via an email attachment? Or have you ever exported contacts out of your CRM, which is sent to you via an email? Bad things can happen not just to you but to your company.
5. Always update your software when new releases become available
When a new update to your MacOS pops up on your desktop, how often do you ignore it until it forces the update? You really should install updates whenever they come out. Why? Because software updates to your operating system, web browser and other software often means closing security loopholes. Cybersecurity is constant battle, and no amount of enhancements will result in a 100% impenetrable system. But the more up-to-date on the software you are, the more secure you will be.
I had a colleague in a previous job that refused to update his software for years. He was an entire major release behind MacOS. While we joked about it, in reality he was a major threat to our security. Apple engineers have improved greatly every day to make their operating system more secure. Make sure you check with your team that they are regularly updating their operating system, browser and other applications.
6. Make a habit of reviewing user access and control on your accounts
Cloud computing brought about easy access for sharing data (like spreadsheets or word documents). You can add someone to an account then remove them when they no longer need access. But because it’s so simple, you might forget who you granted access and how much access you gave them.
If you’re a startup marketer, you probably have contractors and consultants on some of your critical accounts, such as HubSpot or Marketo. When you add an outside consultant to your account make sure you provide them with limited access, only what he or she needs. While you might trust most of your consultants, consider that they are paid a fraction of the net worth of your database.
Also, you don’t know what types of security protocols your vendors practice (do they use 2FA? Password managers?). You should regularly review your user management settings for all your major accounts and remove anyone that no longer needs access as soon as possible. If and employee leaves the company, remove them from all accounts right away.
While all these things might help you become more secure, no system is impervious to hackers. You can practice better security procedure and still get hacked. But you greatly reduce your risk when you take security seriously and advocate to your team to be more secure.
Get startup marketing tips in your inbox
Subscribe to get an occasional email with new blog content that'll help you become a better startup marketer.
If you have questions, feedback or perhaps cybersecurity horror stories, please share below in the comments!