Is Your Modern Marketing Cloud Infrastructure Vulnerable to Cyber Attacks?

Oct 03, 2016 | by Holly Rollo

You've just launched your new Modern Marketing Platform in the cloud. However, there are several potential problems that marketing teams may not consider when creating a new digital infrastructure in the cloud. I'm not referring to the websites set up for online banking or strictly for transactions, I'm talking about the web platforms that are built by the rest of us.

First, cybersecurity is not the chief priority when we (marketing) put our new digital marketing infrastructure together, which means we may be exposed in ways that we haven't even begun to imagine. So while we are thinking about data use policies, opt-ins, and progressive profiling - we weren't thinking about the possibility of this whole thing being potentially breached. If it hasn't been pressure tested after all the services and apps have been bolted together, as far as we know, it could be a security hot mess.

Second, no one really has our backs. Let me digress and provide a crash course in cybersecurity for non-technical marketing people, so this point can sink in.

  • First, security and IT teams are focused on protecting their core enterprise infrastructure from these attackers - by infrastructure, I am talking about networks, financial systems, databases, data centers, company laptops, mobile devices, etc. The bigger and more distributed your company is, the more difficult it is for them to do that. And let's not forget that this environment becomes more diverse by the day as departments around the company adopt more cloud-based technology.
  • On top of that, insights from a recent RSA Threat Detection Study reveal that only 27% of enterprises say they actively monitor cloud-based infrastructure as part of their security strategy! That means the 73% that's not being monitored by your own IT team is probably your marketing infrastructure.
  • The security teams for all of those web-based applications and tools you bought, that are hosted or cloud-based outside your walls, are dealing with the same set of issues. They may have better security strategies or bigger teams in place, because their life depends on it, but they may also be a bigger target because they host data from lots of customers, just like you. I am not saying these applications aren't safe, I'm just saying that you can't assume they are and need to consider the implications of that.
  • Finally, big breaches are hot topics on the news (though only a very, very small percentage of breaches ever get reported, which is important to understand because you aren't seeing even a fraction of it). CEOs and boards are putting more pressure on CIOs and CSOs to ensure that a breach won't happen. The cost of a breach (estimated in the hundreds of millions of dollars if, for example, you are a big retail company) and the negative impact to brand reputation is so high, that it can cause any respectable CEO to decide it's a Margarita Monday. According to a Ponemon Institute Study, one hour of downtime on Cyber Monday can cost retailers up to $3.4 million in losses associated with brand damage and reduced consumer confidence. This is keeping your boss and probably your boss's boss up at night.

Cut back to marketing. So here we are, merrily skipping through the tulips, to launch a new global campaign. We are so focused on the thing in front of us, we unknowingly just created an entire marketing system that has all the same vulnerabilities as the company's core systems, but we have done it in a silo, outside of what our IT security teams are protecting (shadow IT). Our hearts were in the right place but it doesn't make us awesome.

Furthermore, even for a company with a dedicated security operations team, the biggest security blind spot is typically monitoring web, mobile, and social applications beyond core systems and outside the traditional perimeter. Yep, all the stuff you use. Don't take my word for it, get a meeting with your CSO or head of IT Security and ask them about the access protection and management strategies they use, or what the limitations of their security incident & event management systems are...not only will you sound really smart, their answers will fascinate you.

This is the problem. Your IT security team is probably not monitoring a good portion of your modern marketing infrastructure and if they are, they most likely don't have the tools in place to best look after it end-to-end, or to fully consider the way you are using it and the way hackers would be cracking it. Enterprises have spent millions of dollars on security technology, yet, 80% still reported breaches in the last year, based on a new report that came out from KPMG, as reported by Dark Reading.

While the individual big cloud applications might have gone through a security audit individually, (let's assume the Marketing Cloud, CRM system, marketing automation system or web CMS came back solid in an audit), vulnerabilities still exist in the interfaces (APIs) that connect these tools with all the other add-ons tools you bought from other vendors who may be in various stages of cloud or security maturity. So now, you have tools that have not been vetted, connected with trusted tools that may be connected to sensitive information.

Essentially, this is a hacker's dream scenario and your security organization's biggest nightmare. Leaving your security team or IT counterparts out of the loop on how you are setting up your infrastructure in the interest of going fast is tempting, but not worth it. And if you get hacked, maybe, it's nobody else's fault, so don't do it.

Looking for details about managing communications about data breaches? Visit the blog post, Planning for a Breach Crisis, for more information.

Author: Holly Rollo

Category: RSA Fundamentals, Blog Post

Keywords: Cybersecurity, Identity Infrastructure, Marketing Cloud