Editor's Note: The following is a guest post from Nate Bentzinger, director of information security for The Archer Group.
"Orange is the New Black" was finalizing its latest season when hackers stole all 13 episodes and offered to return them for a ransom. When Netflix refused to pay up, the hackers released the episodes to the public on a torrent site. But it wasn't Netflix's security that the hackers breached. They infiltrated a third-party audio production company that had been readying the episodes for release.
As digital agencies, this kind of security failure is always looming over us. We are constantly working with our clients' confidential data and information — lucrative targets for hackers. And even a single breach can permanently damage the trust between agency and client.
Unfortunately, agencies have never been more vulnerable. Recent cyberattacks like WannaCry, Mirai and others are making global news and serve as reminders of the prevalence of these attacks and the kinds of damage a hack can inflict on a business. In 2016 alone, cybercrime cost the global economy over $450 billion. For us, that cost can take the form of lost clients and a damaged reputation.
If cybersecurity isn't already an integral part of your client strategy, any further delay ups your chances of being the next victim. It’s time to start planning.
Lower your exposure by taking the toughest stance on security
Different clients will obviously be concerned about different risks. Ask them for their perspective, and adjust your security posture accordingly. For financial institutions and consumer-facing businesses, account numbers, passwords, customer names and addresses are all examples of sensitive information, but your clients might also be just as concerned about reputational threats to their business itself — marketing information, company contracts and the like.
In general, Personally Identifiable Information (PII) and confidential data are attractive targets for hackers. If your work requires you to interact with PII from your clients' databases as part of an application, pay close attention to how that data is handled and, more importantly, why.
Reducing the application's access to PII can lower the risk of accidental exposure. But even if a customer loyalty application needs access to data during customer transactions, the app doesn't need to keep the data once the transaction is complete. By not storing the data or logging the data details of these transactions, you can reduce your exposure tremendously.
The same goes for data about your clients. A strong stance on cybersecurity can provide a solid foundation for your entire agency, but there are times when it makes sense to isolate customer data entirely from the rest of your company's network. Just as it makes sense to minimize the handling of PII, it also makes sense to isolate customer data from the rest of your network outside the realm of your office space to provide additional tiers of protection.
Adopt the requirements of your most restrictive client
One challenge agencies face in ramping up security is handling the range of requirements clients might have. Often, the best strategy is to adopt the requirements of your most restrictive client across your entire company. This has immediate benefits. It helps standardize security protocols across your client base and also hardens your infrastructure. As the old adage says, you're "better safe than sorry."
Clients accustomed to more lax security will come around to the idea of more restrictive security protocols and see you as a leader going above and beyond to guard their information. But don't stand still. Hackers are constantly trying new attack variants. A new website may have started small and relatively unsophisticated, but success will bring an increase in both scale and the need for greater security.
Be prepared to adjust on the fly as your customers, like all of us, rush to protect themselves against the latest cybersecurity threats. Clients might add a dedicated cybersecurity team that implements across-the-board changes to the procedures you know. Changing compliance requirements may create periodic audits and requests to remediate issues. Clients may ask you to buy liability insurance to mitigate their risk. All of this must be taken in stride, along with a strategic vision of where you want to take your business. It's easier if you grow with your clients.
Take the lead in rooting out potential threats and problems
One of the easiest ways to stay up to date on the latest security threats is simply to watch the news. Nearly every week there are stories of hacks and data breaches, each of which offers details that can help you prevent the same attack on your company.
How exactly did the attack occur? How might these new vulnerabilities affect you or your clients? An outage at Amazon might highlight potential issues for your clients using Amazon Web Services. A leak of NSA intrusion methods might tip you off to systems at risk for compromise and in need of the latest patches.
Cybersecurity is an ever-evolving process with high stakes and many risks. Staying on top of the latest vulnerabilities and guarding your clients will pay dividends in the long run for your agency and your clients' businesses.