Is Your MarTech Stack Vulnerable?

You've just launched your new Modern Marketing Platform. Here are the potential problems marketing teams may not be considering when creating a new digital infrastructure.

First, cybersecurity was not the chief priority when we (marketing) put our new digital marketing infrastructure together, which means we are exposed in ways that we haven’t even begun to imagine. So while we are thinking about data use policies, opt-ins, and progressive profiling, we weren’t thinking about the possibility of this whole thing being breached. So none of it has been pressure tested and, as far as we know, it could be a security hot mess.

Second, no one really has our backs. Let me digress and provide a crash course in cybersecurity for non-technical marketing people so this point can sink in.

First, security and IT teams are focused on protecting their core enterprise infrastructure from these attackers – by infrastructure, I am talking about networks, financial systems, databases, data centers, company laptops, mobile devices, etc. and the bigger and more distributed your company is, the more difficult it is for them to do that. And let’s not forget that this environment becomes more diverse by the day as departments around the company adopt more cloud-based technology. However, in an RSA Threat Detection Study only 27% of enterprises say they actively monitor cloud-based infrastructure as part of their security strategy! That means the 73% that’s not being monitored by your own IT team is probably your marketing infrastructure.

Second, all those web-based applications and tools you bought that are hosted or cloud-based outside your walls, those companies’ security teams are dealing with the same set of issues. They may have better security strategies in place because their life depends on it, and bigger teams, but they may also be a bigger target because they host data from lots of customers just like you. I'm not saying these applications aren't safe, I am saying that you can’t assume they are. But this isn’t your biggest problem.

Finally, big breaches are on the news (though only a very, very small percentage of breaches ever get reported which is important to understand because you aren’t seeing even a fraction of it). CEOs and boards are putting more pressure on CIOs and CSOs to ensure that a breach won’t happen. The cost of a breach (estimated in the hundreds of millions of dollars if for example you are a big retail company) and the risk to brand reputation is so high, that it can cause any respectable CEO to decide it's a Margarita Monday. According to a Ponemon Institute Study, one hour of downtime on Cyber Monday cost retailers up to $3.4 million in losses associated with brand damage and reduced consumer confidence. This is keeping your boss and probably your boss’s boss up at night.

Cut back to marketing. So here we are, merrily skipping through the tulips launching a new global campaign. We are so focused on the thing in front of us, we unknowing just created an entire marketing system that has all the same vulnerabilities as the company’s core systems, but we have done it in a silo, outside of what our IT security teams are protecting (shadow IT). Our hearts were in the right place but it doesn’t make us awesome.

Furthermore, even for a company with a dedicated security operations team, the biggest security blind spot is typically monitoring web, mobile, and social applications. Yep, all the stuff you use. Don’t take my word for it, get a meeting with your CSO or head of IT Security and ask him or her about what kind of access protection and management strategies they use or what the limitations of their security incident & event management systems are …not only will you sound really smart, the answers will fascinate you.

This is the problem. Your IT security team is probably not monitoring a good portion of your modern marketing infrastructure and if they are, they most likely don’t have the tools in place to best look after it end-to-end, the way you are using it, and the way hackers would be cracking it.

Enterprises have spent millions of dollars on security technology, yet, according to RSA’s Cybersecurity Poverty Index, 75% of security leaders report they have significant risk exposure in spite of all their efforts. Furthermore, 80% report breaches in the last year based on a new report that came out from KPMG, as reported by Dark Reading.

While the individual big cloud applications might have gone through a security audit individually, (let’s assume the CRM system or marketing automation system or web CMS came back solid in an audit), vulnerabilities exist in the interfaces (APIs) that connect these tools with all the other add-ons tools you bought from other vendors who may be in various stages of cloud or security maturity. So now, you have tools that have not been vetted, connected with trusted tools that may be connected to sensitive information.

Essentially, this is a hacker’s dream scenario and your security teams' biggest nightmare. Leaving your security team or IT altogether out of the loop on how you are setting up your infrastructure in the interest of going fast is tempting, but not worth it. And if you get hacked, maybe, it's nobody else's fault, so don't do it.