In November, FBI investigators executed Operation Ghost Click, one of the largest spam botnet takedowns in history. The operation effectively eliminated one of the largest spam sources in the world, and its corresponding malware, which had infected millions of computers worldwide. This came on the heels of several other prominent botnet removals, making 2011 the first year that spam volume actually dropped significantly.
To marketers, this might seem to be an indication that they can relax a little in their fight against phishing scams; but that couldn't be further from the truth said Dennis Dayman, chief privacy and security officer at marketing automation provider Eloqua Corp. “Just because this stuff is taken down doesn't mean the Internet is safe,” Dayman said. “The people who want to make money the easy way will always find a way in.” Increasingly, that way in is right through the proverbial front door in the form of email that results in a data breach.
Data breaches occur for a number of reasons. One common pathway is via malware: An individual opens an email that contains an executable program. The worst part, Dayman said, is that spammers and phishers have gotten smarter. They're no longer necessarily looking to gain financial information from the person who opens their email. Instead, they are looking for a treasure trove of personally identifiable information (PII) from their customers or partners.
“Phishers aren't going after credit card numbers anymore. Data systems are the new gold. With personally identifiable information, a phisher has unlimited ways to trick someone,” he said.
Message Systems' CMO Dave Lewis agreed: “They're attacking one company to gain access to others,” he said. “As soon as someone opens that email, they steal the access credentials to the customer database and access credentials to the company's [email service provider]. Now the ESP thinks it's their client wanting to send out email, but it's the phisher and [he or she] is sending out more malware to enterprises using authenticated domains and IP addresses to do it.”
That means marketers must protect their email databases as well as giving customers the tools to figure out if an email that looks like it's coming from your company is legitimate. One of the first steps, Dayman said, is to classify email addresses as PII. Once you do that, he said, employees are more likely to treat the data with reverence and care. It's also important to store email addresses separately from other PII. If then there is a breach, criminals have less ammunition with which to attack your customers.
Companies should also develop and disseminate a data breach plan so that, if something does happen, they can communicate with customers and employees as quickly as possible. Dayman said the plan's main goal should be to lay out who is in charge of what should a breach occur. It should also put a time limit on how long an employee can and should wait if there's a breach. “If someone sees something, they have to respond to it and notify upper management and the security team in one hour or less. We'd like to see it as immediate as possible,” he said.
In addition, employees should know that they will not face repercussions for being phished since, as Dayman said, “everyone makes mistakes.” Finally, the plan should include details about external communications—how and when you will contact customers and suppliers who may have had their data stolen as well as a PR response plan.
Next month: Dave Lewis provides four tips to stop data breaches at your company.