Data security and data protection overlap a great deal. They both seek to secure the processing of data.
Data securityThe process of protecting digital data throughout its entire life cycle from corruption, theft, or unauthorized access. is more concerned with addressing threats, while data protectionIn the context of regulation, data protection is the process of safeguarding any data relating to an identified or identifiable natural person. is more about responsibly managing and using that data.
In digital marketing, both are equally important. While much of the discussion about user data revolves around regulatory compliance, anyone working with data in a data controllerA data controller determines the purposes and means of processing personal data. They decide the "how" and "why" of a data processing operation. organization needs to understand the concepts of threat prevention, data safeguarding, access control, and incident response.
Additionally, much of the discussion around data securityThe process of protecting digital data throughout its entire life cycle from corruption, theft, or unauthorized access. and protection has been muddled with confusing terminology.
In this Topic, you will learn the difference between encoding, encrypting, hashing, and other key terminology.
In the realm of technical marketing, data is not just a resource; it’s a responsibility.
Safeguarding this data is fundamental to maintaining trust, complying with legal standards, and ensuring the integrity of the data used, for example, with marketing campaigns.
Don’t miss this fact!
As a technical marketer, you shouldn’t be involved with data protectionIn the context of regulation, data protection is the process of safeguarding any data relating to an identified or identifiable natural person. and data securityThe process of protecting digital data throughout its entire life cycle from corruption, theft, or unauthorized access. just because you are legally obligated to do so. You need to understand that it is your responsibility to proactively participate in data protectionIn the context of regulation, data protection is the process of safeguarding any data relating to an identified or identifiable natural person. and security practices in your organization.
Data security and digital marketing
Even though you might not be a security engineer, you do need to understand how deeply interconnected digital marketing and data securityThe process of protecting digital data throughout its entire life cycle from corruption, theft, or unauthorized access. are. Your world revolves around data, and data is one of the most precious utilities that companies need to secure.
Data securityThe process of protecting digital data throughout its entire life cycle from corruption, theft, or unauthorized access. is fundamental in trust and brand reputation. Consumers are smart. They are increasingly aware of data privacy and security as well as their rights to access their own data. Brands that demonstrate a commitment to protect and secure customer data have a competitive advantage.
Conversely, data breachesA security incident that results in unauthorized access to confidential information. and data leaks can significantly harm a brand’s reputation. Once you send that dreaded disclosure email to your customers, you will always be known as the company that compromised its customers’ data. Effective data securityThe process of protecting digital data throughout its entire life cycle from corruption, theft, or unauthorized access. practices in digital marketing help proactively address potential threats.
Overlap with data protectionIn the context of regulation, data protection is the process of safeguarding any data relating to an identified or identifiable natural person. measures emerges especially when your marketing efforts require forwarding user data to third parties.
Example
If you want to improve the match rate of your conversion efforts, the vendor might invite you to send email addresses and other extremely personal data. Even if this data is hashed, it still needs to be secured so that this sensitive data doesn’t leak beyond its intended recipient.
Digital marketing as an industry is particularly sensitive to emerging technologies. Whether it’s the Internet of Things, Virtual Reality, Machine Learning, or Artificial Intelligence, digital marketers are quick to find new ways to incorporate these technologies into their marketing processes.
Any time a new technology is utilized, the risk of data securityThe process of protecting digital data throughout its entire life cycle from corruption, theft, or unauthorized access. incidents increases. New technology means new threat vectors, and these need to be proactively assessed before the technology can be put into use.
This type of assessment is critical in any organization that wants to take its data protectionIn the context of regulation, data protection is the process of safeguarding any data relating to an identified or identifiable natural person. and data securityThe process of protecting digital data throughout its entire life cycle from corruption, theft, or unauthorized access. practices seriously. In addition to periodic audits, the data securityThe process of protecting digital data throughout its entire life cycle from corruption, theft, or unauthorized access. practices need to be constantly reviewed to ensure that even small changes in the business environment do not elevate the risk of compromised data securityThe process of protecting digital data throughout its entire life cycle from corruption, theft, or unauthorized access..
Ultimately, any organization’s data securityThe process of protecting digital data throughout its entire life cycle from corruption, theft, or unauthorized access. is only as strong as its weakest link. All members of a digital organization need to be trained in data securityThe process of protecting digital data throughout its entire life cycle from corruption, theft, or unauthorized access. practices, in proactively identifying and recognizing potential threats (especially those relevant to their jobs), and in correctly escalating incidents to those responsible for data securityThe process of protecting digital data throughout its entire life cycle from corruption, theft, or unauthorized access. practices within the organization.
Deep Dive
Encode vs. encrypt vs. hash
“Plain text” data, where the data is stored or transmitted without any type of obfuscation, is the most dangerous type of data. If that data is ever intercepted or leaked, the attackers don’t need to spend any resources on decrypting it – they can instantly make use of the data for nefarious purposes.
The terms encode, encryptWhen information is encrypted, it is obfuscated in such a way that no one without the encryption key should be able to determine what the data actually comprises., and hash are often thrown around when discussion obfuscation measures. However, all three terms mean a different thing, and all three treat data in significantly different ways.
Encoding
Encoding means to transform the data according to a schemaAn analytics system uses schemas to parse, validate, and store events ingested by the collector. The schema dictates what a valid event looks like, what data types are accepted by the system, and what values are required in all incoming events. Schema can also be used to describe the structure of other things, such as the Data Layer.. Encoding is reversible – the original, plain text string can be revealed if the schemaAn analytics system uses schemas to parse, validate, and store events ingested by the collector. The schema dictates what a valid event looks like, what data types are accepted by the system, and what values are required in all incoming events. Schema can also be used to describe the structure of other things, such as the Data Layer. of the encoding is known.
Encoding isn’t a data securityThe process of protecting digital data throughout its entire life cycle from corruption, theft, or unauthorized access. measure. It’s a utility to transform the data into a format supported by the transmit or storage systems, especially in cases where the plain text format of the data will not do.
A popular example of encoding is Base64.
String in plain text | String in Base64 |
---|---|
technical marketing handbook | dGVjaG5pY2FsIG1hcmtldGluZyBoYW5kYm9vaw== |
Encryption
When data is encryptedWhen information is encrypted, it is obfuscated in such a way that no one without the encryption key should be able to determine what the data actually comprises., it’s encoded in a way that it can only be reversed if the encryptionWhen information is encrypted, it is obfuscated in such a way that no one without the encryption key should be able to determine what the data actually comprises. key or password is known. This protects the confidentiality of data, so that only those who have the means to decrypt the information can access it.
However, as encryptionWhen information is encrypted, it is obfuscated in such a way that no one without the encryption key should be able to determine what the data actually comprises. is reversible, if an attacker gets hold of the key or password, they can reverse the data and access it in its original state.
EncryptionWhen information is encrypted, it is obfuscated in such a way that no one without the encryption key should be able to determine what the data actually comprises. usually involves either a symmetric key, where encryptionWhen information is encrypted, it is obfuscated in such a way that no one without the encryption key should be able to determine what the data actually comprises. and decryption happen with the same key (like a password), or a public key, where encryptionWhen information is encrypted, it is obfuscated in such a way that no one without the encryption key should be able to determine what the data actually comprises. and decryption are done with different keys, one of which is typically publicly shared.
String in plain text | String encryptedWhen information is encrypted, it is obfuscated in such a way that no one without the encryption key should be able to determine what the data actually comprises. with AES256 |
---|---|
technical marketing handbook | Oi0Mt7LqULoG5DsN7Ki/D3XWVUYHAoEwejpM0f3fVGw= |
Hashing
Hashing is a one-way, irreversible process of transforming a string to an alphanumeric representation.
Because it is one-way, it can’t be reversed to the original data. Hashes are not encryptionWhen information is encrypted, it is obfuscated in such a way that no one without the encryption key should be able to determine what the data actually comprises., so they can’t be decrypted. To know the original, plain text string, it would require for the attacker to try all possible input values to get the same hash.
Sometimes hashes include a salt. A salt is a secret key added to the plain text data before hashing. This increases the possible input space even more, as now the attacker would also need to know the salt.
Hashes are used commonly with passwords. When you log into an online system, your password is hashed and salted and then compared with the hashes in the user databaseStructured storage for data that usually serves a singular purpose. For example, a company's financial records would be stored in a database.. If there is a match, the system knows you are the authenticated user, even if the system never knows your actual password (as only the hash is stored).
String in plain text | String hashed with SHA256 |
---|---|
technical marketing handbook | 344c0e27c7c597a34ac563f92f6fc23580 ab4a223120bbc65520e362a38bdf18 |
Data security threats
There are thousands of different threat vectors out there, all of them hungrily looking for weaknesses in systems that they could exploit.
You don’t need to know about all of them, and you don’t need to prepare for all of them. However, you do need to know the most common attack types so that you can participate in discussions within your organization when assessing the level of risk that your precious consumer data can face.
Here is a list of important security-related terms that every technical marketer should be familiar with:
Cyberattacks and hacking
A common, generic attack type is just hacking. It involves the hacker gaining unauthorized access to your computer systems, often with the intent of stealing data, disrupting services, or causing damage.
Phishing
Phishing is a type of social engineering, where the attacker contacts the victim, often by email, and tries to trick them into revealing sensitive information like passwords or credit cards. Phishing emails often look like they originate from legitimate sources, and they can even use fake websites that look like the real thing.
Malware
The term is a portmanteau of “malicious” and “software”. Malware includes viruses, worms, trojans, and ransomware. It’s designed to facilitate hacking, or to otherwise disrupt or gain unauthorized access to computer systems or data.
Ransomware
A type of malware where the victim’s files are encryptedWhen information is encrypted, it is obfuscated in such a way that no one without the encryption key should be able to determine what the data actually comprises., with the attacker then demanding a ransom payment from the victim to restore access to the files.
Insider threats
Sometimes the organization employs people who are dissatisfied or who want to cause harm to the organization for other reasons. Or sometimes the organization hires contractors without properly vetting them first. These insiders might have access to sensitive systems, which they can misuse to steal or disrupt information within.
Data leaks
Data leaks involve unauthorized transmission of data from within an organization to an external destination or recipient. Data leaks can be intentional or accidental. They often occur due to insecure file transfer processes or accidentally sending attachments to the wrong email addresses.
Advanced persistent threats
APTs are prolonged and targeted cyberattacks where the intruder gains access to a network and remains undetected for a significant period of time. The intent is often to steal data rather than to cause direct damage to the systems.
Distributed Denial of Service (DDoS) attacks
These attacks flood the targeted server with requests, forcing it to use all its resources to respond to them, thus being unable to service regular requests. A DDoS attack can take down a website, an app, or even a banking system.
Man-in-the-Middle (MitM) attacks
MitM attacks involve the attacker secretly and surreptitiously intercepting and possibly altering the communication between two parties who believe they are directly communicating with each other.
Ready for a quick break?
One of the most dangerous attack vectors is manipulating a tired and unfocused individual. For this reason alone, you should take a break right now to relax your mind and ward off the attackers.
Security measures in the data lifecycle
To mitigate risks of data securityThe process of protecting digital data throughout its entire life cycle from corruption, theft, or unauthorized access. incidents, implementing robust security measures is an absolute must.
Common sense prevails. If you are tempted to download your company customer list to a USB drive, make sure the drive is secured with a secret key. If that drive falls into the wrong hands, you’ve just created a data breachA security incident that results in unauthorized access to confidential information..
In general, any storage solution that you use when working with consumer data should be adequately encryptedWhen information is encrypted, it is obfuscated in such a way that no one without the encryption key should be able to determine what the data actually comprises.. This includes the hard drive of your computer. In the digital age, physical records are often overlooked, but you need to make sure that any physical copies of sensitive data are secured (or destroyed) appropriately.
Another important proactive measure is access control. Giving access needs to be secured just like removing access. It’s all too common in the world of digital marketing to still have agencies and contractors with full access to your data even though you haven’t worked together for a long time anymore. Auditing access to your systems should be done periodically, and access should be set to expire after a given amount of time.
Your company IT probably has a strategy for deploying firewalls, antivirus systems, and intrusion detection heuristics. While you don’t need to know how these operate, they might sometimes cause disruptions or latencyAnother word for delay. The higher the latency, the longer the delay between the action and the consequence. in your work, as they add overhead to network requests.
Finally, your job as a technical marketer is to be the steward of user data, especially when it relates to marketing. In addition to securing the data, you also need to be mindful of:
- Data collection: Secure methods should be used during data collection, so that personal data is collected legally and ethically. Don’t collect sensitive information unless you have a legal basis to do so and an actual need for it.
- Data processing and analysis: Make sure that data integrity and confidentiality are respected when you process data. For example, if joining data from different sources, make sure that it is still distinguishable which parts are personal data and subject to data protectionIn the context of regulation, data protection is the process of safeguarding any data relating to an identified or identifiable natural person. regulation.
- Data retention and disposal: Data isn’t meant to be stored forever. Set proactive retention limits to data, so that it’s purged after the expiration date is met. Make sure that disposal is done so that it is truly irreversible.
All the Topics in this Chapter have revolved around the concepts and technical jargon of privacy, data protectionIn the context of regulation, data protection is the process of safeguarding any data relating to an identified or identifiable natural person., and data securityThe process of protecting digital data throughout its entire life cycle from corruption, theft, or unauthorized access.. Ultimately, it’s all about responsibility and accountability.
It’s been said many times here: you are responsible for the data that you handle. While there may not always be a legal obligation to protect and secure it, there is a broader ethical obligation to make sure that the data is handled responsibly.
This was the last Chapter of the Technical Marketing Handbook, but in many ways it’s the most important one. The Topics covered here deal with some of the most fundamental questions a digital organization faces.
We trust that you have the motivation to improve yourself on a daily basis when working as a technical marketer.
Key takeaway #1: Data breaches are far too common to ignore
A data breachA security incident that results in unauthorized access to confidential information. can be detrimental to a company. Inadvertently releasing passwords, personal data, credit card numbers, or email addresses can turn into a PR nightmare. Hackers are also very good at finding vulnerabilities in systems – sometimes through non-technological means. If your company stores potentially sensitive data, then you must have a contingency plan in place for data breachesA security incident that results in unauthorized access to confidential information..
Key takeaway #2: Hackers are good at what they do
Hackers are always (at least) one step ahead of safeguards. There are so many discovered and undiscovered ways of breaching data securityThe process of protecting digital data throughout its entire life cycle from corruption, theft, or unauthorized access. measures that trying to protect against all possible threat vectors is futile. Much of data securityThe process of protecting digital data throughout its entire life cycle from corruption, theft, or unauthorized access. is about education – employees need to be taught to spot social engineering schemes, phishing attempts, and potential vulnerabilities in the systems that they use. And, again, a contingency plan needs to be in place for when the inevitable happens.
Key takeaway #3: Secure data throughout its lifecycle
Data securityThe process of protecting digital data throughout its entire life cycle from corruption, theft, or unauthorized access. measures should apply at every step of the data lifecycle. At data collection, make sure that only relevant data is collected and only in necessary quantities. At processing and analysis time, focus on data integrity and confidentiality. Utilize retention and disposal measures. Set an expiration time for stored data, and make sure that it’s purged so that disposal is truly irreversible.