This article is provided by Sonan Insights.
In the world of InfoSec, marketing operations are often an overlooked source of risk. The information that is gathered and stored through marketing is critical for decision making, building relationships with customers, and helping to grow your business. Ultimately, marketing often heavily relies on the use of third party applications to manage, store, and use this data. Understanding the security layer of marketing tools brings awareness to potential sources of vulnerabilities that come through these platforms, and can help you establish secure mitigation strategies to reduce your risk of attack on this data.
Here we’ll dive into a few of the major applications used by marketing teams that should be considered when building a comprehensive information security policy. More specifically, we’ll look at three types of marketing tools: analytics (Google Analytics), PPC advertising (Google Ads), and marketing automation (HubSpot).
Google Analytics is a widely used analytics tool that allows for the measurement of traffic and performance of both websites and applications. Despite being one of the most popular tools in the marketing world, there are a couple of sources of vulnerability worth noting.
Google Analytics uses publicly available tag information to receive data. If your organization is using Universal Analytics (UA), anyone can view your UA tag by inspecting the code on your site. This can then be exploited, as any entity can send false data to your account. A bad actor can take your Google Analytics tag and connect it to any website they have access to or manage. This false information will then appear in your analytics view. Google Analytics does not filter by domain as the default setting. To ensure that you are only making decisions based on data from your domain, you need to enable Hostname filtering for each view used. For more information on configuring a custom domain filter, check out this post.
Managing PII elevates the level of risk employed in your marketing operations. For most marketing departments the management of PII is unavoidable, especially when running lead generation, contests, or newsletter registrations.
In some sites, PII is entered on the site by users through form fields. Within Google Analytics, ensure no PII such as names, social security numbers, email addresses or other personal identifiers are sent into the analytics platform. This can be managed through User ID override, event dimensions, site search dimensions, and campaign dimensions. It’s important to set up all custom dimensions so that they collect only non-identifiable information, such as source, medium, keyword, campaign, content, site search terms, or site search categories, for example.
Similarly, geolocation can be a personal identifier. In some areas, such as the UK, single residences can have their own zip code, and thus, must not be entered into Google Analytics.
Beyond analytics, Google Ads are another source of information security risk. As Google now offers a lead generation form extension, which stores PII, limiting access to this data is an essential security consideration. For more information on preventing unauthorized access to this form, check out this post.
Furthermore, as many marketers upload email addresses to create custom audiences for retargeting, this functionality creates another potential vulnerability. While Google Ads destroys the raw list of personal information stored once it processes it, ensuring that your marketers are handling this upload securely from either your ecommerce platform, marketing tool, or CRM is an essential consideration. Many platforms such as Shopify and HubSpot support the creation of custom audiences automatically. Beyond this, you can also use Zapier if there is no native support available. Doing so eliminates the needs for marketers having to download and then also remember to delete customer data.
Data theft remains a significant risk when it comes to the storage of data within a CRM. Earlier this year, USCellular suffered a data breach in which customer data stored within the CRM was accessed. As the information stored in CRM tools is often sensitive and extremely valuable to competitors, preventing unauthorized access can reduce the risk of attack. CRMs such as HubSpot and Salesforce allow users to easily export account and contact data into formats such as CSV. By allowing a list of all your customers and contacts to be quickly generated by any individual within the account, you risk having that data fall into the wrong hands through a single bad actor. Therefore, it is considered best practice to limit the information that any individual has access to and reserving the right to export en masse to more senior employees through role-based access control (RBAC). This can be done by filtering by contact owner, or by sales/marketing team. For more information on permissions management, check out this guide from HubSpot.
While managing the permissions for each application is important, all that hard work can be lost should the right individual login be compromised. Ensuring that you have 2-Factor Authentication (2FA) enabled for each of the tools mentioned above reduces the possibility of a user’s login being compromised. Carefully ensuring that you are using all available authentication configurations for each application is vital for information security. Beyond this, you should also practice healthy password hygiene.
As the list of marketing tools available continues to grow, configuring each correctly to maintain maximum security is key. Often, it comes down to investigating each tool and ensuring that you are implementing all possible security features. With regular audits and some coordination internally, it is possible to manage your marketing information securely — making it a worthwhile consideration for your organizational security policies.