🥳 You have completed all topics in the Handbook. Click here to claim your certificate!

3. Data security

Digital marketing relies on consuming, handling, and sharing huge amounts of consumer data. This data needs to be kept secure in transit, in storage, and when required by connected systems.

Data security and data protection overlap a great deal. They both seek to secure the processing of data.

Data security is more concerned with addressing threats, while data protection is more about responsibly managing and using that data.

In digital marketing, both are equally important. While much of the discussion about user data revolves around regulatory compliance, anyone working with data in a data controller organization needs to understand the concepts of threat prevention, data safeguarding, access control, and incident response.

Additionally, much of the discussion around data security and protection has been muddled with confusing terminology.

In this Topic, you will learn the difference between encoding, encrypting, hashing, and other key terminology.

In the realm of technical marketing, data is not just a resource; it’s a responsibility.

Safeguarding this data is fundamental to maintaining trust, complying with legal standards, and ensuring the integrity of the data used, for example, with marketing campaigns.

Don’t miss this fact!

As a technical marketer, you shouldn’t be involved with data protection and data security just because you are legally obligated to do so. You need to understand that it is your responsibility to proactively participate in data protection and security practices in your organization.

Data security and digital marketing

Even though you might not be a security engineer, you do need to understand how deeply interconnected digital marketing and data security are. Your world revolves around data, and data is one of the most precious utilities that companies need to secure.

Data security is fundamental in trust and brand reputation. Consumers are smart. They are increasingly aware of data privacy and security as well as their rights to access their own data. Brands that demonstrate a commitment to protect and secure customer data have a competitive advantage.

Conversely, data breaches and data leaks can significantly harm a brand’s reputation. Once you send that dreaded disclosure email to your customers, you will always be known as the company that compromised its customers’ data. Effective data security practices in digital marketing help proactively address potential threats.

Data breach notification from haveibeenpwned.com

Overlap with data protection measures emerges especially when your marketing efforts require forwarding user data to third parties.

Example

If you want to improve the match rate of your conversion efforts, the vendor might invite you to send email addresses and other extremely personal data. Even if this data is hashed, it still needs to be secured so that this sensitive data doesn’t leak beyond its intended recipient.

Enhanced Conversions with Google (source)

Digital marketing as an industry is particularly sensitive to emerging technologies. Whether it’s the Internet of Things, Virtual Reality, Machine Learning, or Artificial Intelligence, digital marketers are quick to find new ways to incorporate these technologies into their marketing processes.

Any time a new technology is utilized, the risk of data security incidents increases. New technology means new threat vectors, and these need to be proactively assessed before the technology can be put into use.

This type of assessment is critical in any organization that wants to take its data protection and data security practices seriously. In addition to periodic audits, the data security practices need to be constantly reviewed to ensure that even small changes in the business environment do not elevate the risk of compromised data security.

Ultimately, any organization’s data security is only as strong as its weakest link. All members of a digital organization need to be trained in data security practices, in proactively identifying and recognizing potential threats (especially those relevant to their jobs), and in correctly escalating incidents to those responsible for data security practices within the organization.

Deep Dive

Encode vs. encrypt vs. hash

“Plain text” data, where the data is stored or transmitted without any type of obfuscation, is the most dangerous type of data. If that data is ever intercepted or leaked, the attackers don’t need to spend any resources on decrypting it – they can instantly make use of the data for nefarious purposes.

The terms encode, encrypt, and hash are often thrown around when discussion obfuscation measures. However, all three terms mean a different thing, and all three treat data in significantly different ways.

Encoding

Encoding means to transform the data according to a schema. Encoding is reversible – the original, plain text string can be revealed if the schema of the encoding is known.

Encoding isn’t a data security measure. It’s a utility to transform the data into a format supported by the transmit or storage systems, especially in cases where the plain text format of the data will not do.

A popular example of encoding is Base64.

String in plain textString in Base64
technical marketing handbookdGVjaG5pY2FsIG1hcmtldGluZyBoYW5kYm9vaw==

Encryption

When data is encrypted, it’s encoded in a way that it can only be reversed if the encryption key or password is known. This protects the confidentiality of data, so that only those who have the means to decrypt the information can access it.

However, as encryption is reversible, if an attacker gets hold of the key or password, they can reverse the data and access it in its original state.

Encryption usually involves either a symmetric key, where encryption and decryption happen with the same key (like a password), or a public key, where encryption and decryption are done with different keys, one of which is typically publicly shared.

String in plain textString encrypted with AES256
technical marketing handbookOi0Mt7LqULoG5DsN7Ki/D3XWVUYHAoEwejpM0f3fVGw=
Encryption used ECB Cipher Mode with a 128-bit key “teamsimmer012024”, finally encoded with Base64

Hashing

Hashing is a one-way, irreversible process of transforming a string to an alphanumeric representation.

Because it is one-way, it can’t be reversed to the original data. Hashes are not encryption, so they can’t be decrypted. To know the original, plain text string, it would require for the attacker to try all possible input values to get the same hash.

Sometimes hashes include a salt. A salt is a secret key added to the plain text data before hashing. This increases the possible input space even more, as now the attacker would also need to know the salt.

Hashes are used commonly with passwords. When you log into an online system, your password is hashed and salted and then compared with the hashes in the user database. If there is a match, the system knows you are the authenticated user, even if the system never knows your actual password (as only the hash is stored).

String in plain textString hashed with SHA256
technical marketing handbook344c0e27c7c597a34ac563f92f6fc23580
ab4a223120bbc65520e362a38bdf18

Data security threats

There are thousands of different threat vectors out there, all of them hungrily looking for weaknesses in systems that they could exploit.

You don’t need to know about all of them, and you don’t need to prepare for all of them. However, you do need to know the most common attack types so that you can participate in discussions within your organization when assessing the level of risk that your precious consumer data can face.

Here is a list of important security-related terms that every technical marketer should be familiar with:

Cyberattacks and hacking

A common, generic attack type is just hacking. It involves the hacker gaining unauthorized access to your computer systems, often with the intent of stealing data, disrupting services, or causing damage.

Phishing

Phishing is a type of social engineering, where the attacker contacts the victim, often by email, and tries to trick them into revealing sensitive information like passwords or credit cards. Phishing emails often look like they originate from legitimate sources, and they can even use fake websites that look like the real thing.

A very poor attempt at phishing from fake UPS

Malware

The term is a portmanteau of “malicious” and “software”. Malware includes viruses, worms, trojans, and ransomware. It’s designed to facilitate hacking, or to otherwise disrupt or gain unauthorized access to computer systems or data.

Ransomware

A type of malware where the victim’s files are encrypted, with the attacker then demanding a ransom payment from the victim to restore access to the files.

Insider threats

Sometimes the organization employs people who are dissatisfied or who want to cause harm to the organization for other reasons. Or sometimes the organization hires contractors without properly vetting them first. These insiders might have access to sensitive systems, which they can misuse to steal or disrupt information within.

Data leaks

Data leaks involve unauthorized transmission of data from within an organization to an external destination or recipient. Data leaks can be intentional or accidental. They often occur due to insecure file transfer processes or accidentally sending attachments to the wrong email addresses.

Advanced persistent threats

APTs are prolonged and targeted cyberattacks where the intruder gains access to a network and remains undetected for a significant period of time. The intent is often to steal data rather than to cause direct damage to the systems.

Distributed Denial of Service (DDoS) attacks

These attacks flood the targeted server with requests, forcing it to use all its resources to respond to them, thus being unable to service regular requests. A DDoS attack can take down a website, an app, or even a banking system.

Man-in-the-Middle (MitM) attacks

MitM attacks involve the attacker secretly and surreptitiously intercepting and possibly altering the communication between two parties who believe they are directly communicating with each other.

Ready for a quick break?

One of the most dangerous attack vectors is manipulating a tired and unfocused individual. For this reason alone, you should take a break right now to relax your mind and ward off the attackers.

Security measures in the data lifecycle

To mitigate risks of data security incidents, implementing robust security measures is an absolute must.

Common sense prevails. If you are tempted to download your company customer list to a USB drive, make sure the drive is secured with a secret key. If that drive falls into the wrong hands, you’ve just created a data breach.

In general, any storage solution that you use when working with consumer data should be adequately encrypted. This includes the hard drive of your computer. In the digital age, physical records are often overlooked, but you need to make sure that any physical copies of sensitive data are secured (or destroyed) appropriately.

Another important proactive measure is access control. Giving access needs to be secured just like removing access. It’s all too common in the world of digital marketing to still have agencies and contractors with full access to your data even though you haven’t worked together for a long time anymore. Auditing access to your systems should be done periodically, and access should be set to expire after a given amount of time.

Your company IT probably has a strategy for deploying firewalls, antivirus systems, and intrusion detection heuristics. While you don’t need to know how these operate, they might sometimes cause disruptions or latency in your work, as they add overhead to network requests.

Finally, your job as a technical marketer is to be the steward of user data, especially when it relates to marketing. In addition to securing the data, you also need to be mindful of:

  • Data collection: Secure methods should be used during data collection, so that personal data is collected legally and ethically. Don’t collect sensitive information unless you have a legal basis to do so and an actual need for it.
  • Data processing and analysis: Make sure that data integrity and confidentiality are respected when you process data. For example, if joining data from different sources, make sure that it is still distinguishable which parts are personal data and subject to data protection regulation.
  • Data retention and disposal: Data isn’t meant to be stored forever. Set proactive retention limits to data, so that it’s purged after the expiration date is met. Make sure that disposal is done so that it is truly irreversible.

All the Topics in this Chapter have revolved around the concepts and technical jargon of privacy, data protection, and data security. Ultimately, it’s all about responsibility and accountability.

It’s been said many times here: you are responsible for the data that you handle. While there may not always be a legal obligation to protect and secure it, there is a broader ethical obligation to make sure that the data is handled responsibly.

This was the last Chapter of the Technical Marketing Handbook, but in many ways it’s the most important one. The Topics covered here deal with some of the most fundamental questions a digital organization faces.

We trust that you have the motivation to improve yourself on a daily basis when working as a technical marketer.

Key takeaway #1: Data breaches are far too common to ignore

A data breach can be detrimental to a company. Inadvertently releasing passwords, personal data, credit card numbers, or email addresses can turn into a PR nightmare. Hackers are also very good at finding vulnerabilities in systems – sometimes through non-technological means. If your company stores potentially sensitive data, then you must have a contingency plan in place for data breaches.

Key takeaway #2: Hackers are good at what they do

Hackers are always (at least) one step ahead of safeguards. There are so many discovered and undiscovered ways of breaching data security measures that trying to protect against all possible threat vectors is futile. Much of data security is about education – employees need to be taught to spot social engineering schemes, phishing attempts, and potential vulnerabilities in the systems that they use. And, again, a contingency plan needs to be in place for when the inevitable happens.

Key takeaway #3: Secure data throughout its lifecycle

Data security measures should apply at every step of the data lifecycle. At data collection, make sure that only relevant data is collected and only in necessary quantities. At processing and analysis time, focus on data integrity and confidentiality. Utilize retention and disposal measures. Set an expiration time for stored data, and make sure that it’s purged so that disposal is truly irreversible.

Quiz: Data Security

Ready to test what you've learned? Dive into the quiz below!

1. How would you reverse a hash?

2. What do you need to consider when controlling access to a secure system?

3. Why is phishing a particularly nasty threat vector?

Your score is

0%

What did you think about this topic?

Thanks for your feedback!

Unlock Premium Content

Simmer specializes in self-paced online courses for technical marketers. Take a look at our offering and enroll in one or more of our courses!

Online course

Web Browsers And Tracking Protections

Simmer’s online course teaches you all you need to know about web browsers and their tracking protection mechanisms.

0/27 Topics completed

Well done!

Complete all topics to claim your certificate.

Claim your certificate