Jan 25, 22 3:47 pm

Was this post helpful?

How The Security of Marketing Tools Affects Your InfoSec Policies

Jan 25, 2022
| by:
Alex Hewko

This article is provided by Sonan Insights.

How The Security of Marketing Tools Affects Your InfoSec Policies

In the world of InfoSec, marketing operations are often an overlooked source of risk. The information that is gathered and stored through marketing is critical for decision making, building relationships with customers, and helping to grow your business. Ultimately, marketing often heavily relies on the use of third party applications to manage, store, and use this data. Understanding the security layer of marketing tools brings awareness to potential sources of vulnerabilities that come through these platforms, and can help you establish secure mitigation strategies to reduce your risk of attack on this data. 

Here  we’ll dive into a few of the major applications used by marketing teams that should be considered when building a comprehensive information security policy. More specifically, we’ll look at three types of marketing tools: analytics (Google Analytics), PPC advertising (Google Ads), and marketing automation (HubSpot).

Google Analytics

Analytics: Monitoring Incorrect Data in Google Analytics

Google Analytics is a widely used analytics tool that allows for the measurement of traffic and performance of both websites and applications. Despite being one of the most popular tools in the marketing world, there are a couple of sources of vulnerability worth noting. 

Domain Filtering: Ensuring Data Integrity

Google Analytics uses publicly available tag information to receive data. If your organization is using Universal Analytics (UA), anyone can view your UA tag by inspecting the code on your site. This can then be exploited, as any entity can send false data to your account. A bad actor can take your Google Analytics tag and connect it to any website they have access to or manage. This false information will then appear in your analytics view. Google Analytics does not filter by domain as the default setting. To ensure that you are only making decisions based on data from your domain, you need to enable Hostname filtering for each view used. For more information on configuring a custom domain filter, check out this post.

Best Practices to Avoid Sending PII Into Google Analytics

Managing PII elevates the level of risk employed in your marketing operations. For most marketing departments the management of PII is unavoidable, especially when running lead generation, contests, or newsletter registrations. 

In some sites, PII is entered on the site by users through form fields. Within Google Analytics, ensure no PII such as names, social security numbers, email addresses or other personal identifiers are sent into the analytics platform. This can be managed through User ID override, event dimensions, site search dimensions, and campaign dimensions. It’s important to set up all custom dimensions so that they collect only non-identifiable information, such as source, medium, keyword, campaign, content, site search terms, or site search categories, for example. 

Similarly, geolocation can be a personal identifier. In some areas, such as the UK, single residences can have their own zip code, and thus, must not be entered into Google Analytics.

Google Ads

PPC Advertising: Lead Gen Forms and Customer Matching

Beyond analytics, Google Ads are another source of information security risk. As Google now offers a lead generation form extension, which stores PII, limiting access to this data is an essential security consideration. For more information on preventing unauthorized access to this form, check out this post

Furthermore, as many marketers upload email addresses to create custom audiences for retargeting, this functionality creates another potential vulnerability. While Google Ads destroys the raw list of personal information stored once it processes it, ensuring that your marketers are handling this upload securely from either your ecommerce platform, marketing tool, or CRM is an essential consideration. Many platforms such as Shopify and HubSpot support the creation of custom audiences automatically. Beyond this, you can also use Zapier if there is no native support available. Doing so eliminates the needs for marketers having to download and then also remember to delete customer data.

google ads example

Marketing Automation

Prevent Unauthorized Access in CRM Tools

Data theft remains a significant risk when it comes to the storage of data within a CRM. Earlier this year, USCellular suffered a data breach in which customer data stored within the CRM was accessed. As the information stored in CRM tools is often sensitive and extremely valuable to competitors, preventing unauthorized access can reduce the risk of attack. CRMs such as HubSpot and Salesforce allow users to easily export account and contact data into formats such as CSV. By allowing a list of all your customers and contacts to be quickly generated by any individual within the account, you risk having that data fall into the wrong hands through a single bad actor. Therefore, it is considered best practice to limit the information that any individual has access to and reserving the right to export en masse to more senior employees through role-based access control (RBAC). This can be done by filtering by contact owner, or by sales/marketing team. For more information on permissions management, check out this guide from HubSpot.

Ensuring 2FA for Each Application

While managing the permissions for each application is important, all that hard work can be lost should the right individual login be compromised. Ensuring that you have 2-Factor Authentication (2FA) enabled for each of the tools mentioned above reduces the possibility of a user’s login being compromised. Carefully ensuring that you are using all available authentication configurations for each application is vital for information security. Beyond this, you should also practice healthy password hygiene.

Ensuring The Security of Marketing Tools: Implementing Best Practices

As the list of marketing tools available continues to grow, configuring each correctly to maintain maximum security is key. Often, it comes down to investigating each tool and ensuring that you are implementing all possible security features. With regular audits and some coordination internally, it is possible to manage your marketing information securely making it a worthwhile consideration for your organizational security policies.

Was this post helpful?

About the Author

Alex Hewko
Alex is the Marketing Manager here at Software Secured. She enjoys writing to learn about cybersecurity, leadership, and technology in sales & marketing processes. She shares her insights from a background in international marketing and information technology. From launching global marketing campaigns in the tech and CE industry, to completing a Master's research project on humanizing remote B2B selling processes, Alex is passionate about storytelling and educating audiences on topics that haven't yet been talked about.
Share This Post

Leave a Reply

Your email address will not be published.

Related Post


301 Moodie Dr. Unit 108
Ottawa ON K2H 9C4

Designed by WP Expert
© 2023
Software Secured