A guide to cyber security for marketing agencies

If your marketing agency is under the impression that cyber security is strictly an IT issue, you should think again.

Effective security is a company-wide commitment, and marketers play one of the most crucial roles. Consider how much personal data you collect; if that information is lost or stolen, it will severely damage your customer relationships.

In fact, a Ping Identity survey found that 78% of people would stop using an organisation’s online services if it had experienced a breach.

So, what should marketing agencies do to reduce the risk of cyber attacks and protect their reputation? Here are our three top tips.

1. Adopt an ISMS to manage the data you collect

Given the amount of data that marketing agencies collect, it’s essential that staff have a hands-on role in protecting their organisation – which is why an ISMS (information security management system) is essential.

The system helps organisations manage, monitor and improve their security practices in one place.

It does this by taking a holistic approach to information security in which processes, policies and technology are considered together. As such, organisations can be sure that they’ve identified relevant risks and implemented appropriate defences.

You can find out how to implement an ISMS with the help of ISO 27001, which outlines a best-practice approach.

IT Governance offers a variety of resources to help organisations understand and implement ISO 27001’s requirements. We recommend starting with our free guide: Cyber Security and ISO 27001 – Addressing the cyber threat landscape.

It contains an introduction to the Standard, explaining the ways ISO 27001 can help secure your organisation and why a management system is just as important as technical solutions.

2. Meet your data protection by design and by default requirements

You might be familiar with the concept of data protection by design and by default; they are a pair of related approaches to information security that instruct organisations on how to implement information security and privacy measures.

They were considered good practice under the DPA (Data Protection Act) 1998, but they have became a legal requirement under the GDPR (General Data Protection Regulation) and – following the UK’s departure from the EU – the UK GDPR.

Data protection by design states that information security and privacy concerns must be considered at the outset of any new system, service, product or process rather than being bolted on afterwards.

This includes requirements such as conducting DPIAs (data protection impact assessments) when developing anything that’s used to process personal data, and writing privacy notices and data protection policies in simple, easy-to-understand language.

Data protection by default requires organisations to only conduct data processing activities if they are necessary to achieve a specific goal.

To comply with this requirement, you must assume a ‘privacy-first’ stance with any default settings on systems and applications, and refrain from processing additional data unless there is a lawful basis to do so.

You should also ensure that personal data isn’t automatically made publicly available, provide individuals with enough options to exercise their data subject rights and make sure that any choices you give individuals are legitimate.

3. Marketing and IT must work together

Cyber security may not be about IT alone, but it’s still important. Marketers rely on technology for, say, automated processing and data analytics, and they must ensure that the tools they use to do this are secure.

It only takes one misconfigured database or software vulnerability for you to leak clients’ personal details across the Internet.

That’s why marketers must collaborate with IT, giving the team a chance to review any technology that you plan to implement.

The IT team may approve or reject your proposed technology, depending on how secure it is, or it could say that specific safeguards must be installed to mitigate the risk of a breach.

Privacy essentials for marketers

As marketing departments become increasingly reliant on technology and automation, it’s crucial that they understand the role they play in data protection.

This blog has given an overview of the ways marketers must consider cyber security, but there is much more to learn, as we explain in our Privacy Essentials for Marketers Training Course.

In this one-day course, our expert trainer demonstrates the privacy considerations that come with building and maintaining websites, applications and marketing campaigns.

They’ll also explain the impact of the GDPR and the DPA 2018 on your marketing strategies, including analytics, referral programmes and list-building activities.

You’ll also gain an insight into conducting effective market research and customer surveys, as well as the use of social media and email.

Find out more