Data breaches and privacy vulnerabilities splash across the headlines each week and cost businesses millions and some of the blame may lie in the misalignment of sales and marketing.
These announcements unseat executives, obliterate market value, shake the confidence of customers, necessitate awkward Senate hearings, and damage the brand for the long term. All of us can think of companies that have been adversely affected by this violation of trust, and the impact is significant across industries.
According to the 2018 Cost of a Data Breach Study by Ponemon, sponsored by IBM IBM +0.46%, the average cost of a data breach in the US is $7.91 million in direct and indirect expenses and another $4.2 million was the average loss of business following a breach. But even for smaller incidents, each stolen record costs the business $233, which is up 4.8% since last year. It doesn’t take many compromised records to have that figure add up.
And perhaps more shocking, the average global probability of a material breach in the next 24 months is 27.9%. That means, nearly a third of companies will have a data breach next year, which means that nearly a third of customers could be victims of data vulnerabilities.
As you might imagine, the faster the data breach can be detected, the lower the cost and brand impact. Companies that identified a breach in less than 100 days saved more than $1 million than their peers that took the average of 197 days. But better yet, companies can avoid costly breaches by evaluating their systems and processes and preventing problems from ever occurring.
How does this relate to sales and marketing misalignment? The Data Breach Study attributes 27% of breaches to “human error” and 25% to “system glitches.” These combine to cause most data vulnerabilities. Because the systems used by sales and marketing contain some of the richest customer data and largest user populations with access to data they represent a significant business risk hiding in plain sight.
Here are four areas in which you can assess your risk of a breach and some best practices to address each:
1. Beware of Separate MarTech and SalesTech Stacks
If you hang around a modern marketing organization you will hear terms bantered around frequently: CMS, marketing automation, sales enablement platforms, e-commerce, customer relationship management or sales force automation tools. These are often abbreviated “MarTech” (as in Marketing Technology) or SalesTech (Sales Technology). And it is not uncommon to have these systems in organizational silos without integration, data synchronization, or a common view of the customer. “Multiple applications, in many cases, have duplicate data to accomplish the same objective,” commented Joan Netzel, CPA and professional board member, former group vice president and internal auditor for SunTrust Banks and former CFO of the New Mexico Mortgage Finance Authority. “One key risk is that the data is not accurate from system to system, which poses a problem with reporting and decision making.” This has implications on the customer experience, management effectiveness, compliance with GDPR and other regulations, and the ability of the organization to fully leverage relationships, but it holds another risk: it can make your systems more susceptible to data vulnerabilities. Companies are quick to overlook the data breaches that happen every day when territory salespeople leave the company and take contacts and contract details of clients with them on their personal devices.
Actions you can take: Look closely at the integration or duplication of systems between sales and marketing and the access rights to each. Often misalignments in annual objectives and management styles can manifest in system proliferation, each with a different set of access controls. And don’t forget the hidden sales systems that exist in employee’s email inboxes, contact directories on their phones, shared drives, or on spreadsheets, outside the formal CRM systems.
2. Beware of System Proliferation
It is not uncommon in large companies or companies that have grown through acquisition to have a number of competing systems all in simultaneous operation. One company may have dozens of separate CRM instances or point solutions in the sales and marketing space, across multiple vendors and hosting models. With this disarray in their system ecosystem, vulnerabilities around data usage and access are often hidden in the mix.
Plus, the features of these robust and expensive platforms go under-utilized. As author and consultant David Taber wrote for CIO Magazine “no amount of ‘best in breed’ features will make a difference if their data is an uncoordinated mess.”
Furthermore, systems tend to multiply when governance is not strong. In organizations of all sizes, shadow IT organizations (or “hidden factories”) can build and implement solutions in the organization without explicit organizational approval. This is becoming increasingly easier in a world of cloud computing or when applications are offered in Software as a Service (SaaS) business models, where anyone with budget authority can implement solutions, without the technical expertise previously required for on-premises installations. This ease of database provisioning and application deployment in the cloud has real benefits to the enterprise, of course, but it can exacerbate organizational dysfunction. And the ubiquity of API-style connections between tools makes sharing sensitive data with third-parties easier than ever before.
Actions you can take: Building on the investigation above, conduct a full inventory of the systems used at your company that store or share customer data of any type. Review the data policies of your vendors. You will likely be shocked by how many systems are in use and can put a plan into place to streamline and consolidate as required.
3. Beware of System of Record and Data Ownership Ambiguity
“Decisions around technology platforms need a holistic approach,” continued Netzel. Never is this truer than when companies are determining their systems of record: the computer system or application which will serve as the company’s authoritative data source for customer data. Not the pet system of one department or the other, but for the enterprise as a whole. “The customer demographic data regarding sales and products, need to be in sync with the system of record and a reconciliation of that data in separate systems needs to be designed and performed periodically,” Netzel advised. It is critical that each system has a “data owner who is responsible for determining who has access to the data and for how long,” explained Donna Gallaher, an IT and cybersecurity advisor who holds active CISSP, C|CISO, and CIPP/E certifications. “That data owner should be tracking exceptions and ensuring that access is removed when no longer needed, even though IT or the security team implements the controls.”
Actions you can take: Go to your ecosystem inventory and ensure that every system has a unique and defined purpose and a data owner that has defined processes for access controls. Once you know how many systems you use and which you intend to serve as the system of record, you can decide which should be phased out of operation, which could not only lead to reduced risk, but reduced costs as well.
4. Beware of Ill-Defined Security Policies
It is not uncommon for companies to have an employee manual or other documents which outline behavior expectations of their employees, but many companies do not have a written security policy that covers topics beyond acceptable use, to include password and encryption standards, data retention standards, access management procedures and other critical elements. “A key element of a security program is the maturity of a company’s employee and contractor onboarding and offboarding process,” Gallaher offered. “Access rights should be defined for each job role, and there should be procedures in place for granting and removing access to all required systems.” This requires another system of record to be defined for employee data. “Typically, either Active Directory [email and network access system] or the HRIS [human resources information system] is the system of record with one system feeding data into the other,” she continued. “It is important for companies to determine which is the system of record and who owns the data, and to design the rest of the processes for granting and removing access rights around that system of record and data owner.”
Actions to take: Gallaher suggests that “everyone should have security responsibilities in their job description” and understand what systems and tools they need for their role and how to secure the data in those systems according to the policy.
In summary, “the most important thing is to decide on your system of record and to assign a data owner,” Gallaher offered. However, data vulnerabilities and risk assessment can not be delegated. The responsibility must be shared across the enterprise. “It is common for businesses to try to shift risk to the IT or security organization,” Gallaher added, “but the business always owns the risk.” No matter who works on the systems or administers policy, the business ultimately owns the impact. Sales and marketing must align, with other groups and interests of the business, to ensure the systems they use every day, to communicate with customers or track the sales pipeline, don’t end up costing the business a breach.
This article originally ran in Forbes on August 20, 2018.