Following the Epsilon breach, the OTA announced a new “security by design” organizational framework and guidelines to help address the ongoing attempts of cybercriminals. The guidelines recommend creating company security teams headed by chief security officers; identifying points of vulnerability in how data are handled; developing security reviews and ongoing audits; and implementing incident response plans.
The danger is “across the board,” Spiezle said.
“The industry needs to step up their game and invest in this area,” he said. “On the one hand, there is the prospect of federal regulation that would force greater security. But also there is the issue of consumer trust in emails and ads. The worst thing for the interactive industry is to have a trust meltdown. We have to get ahead of the curve.”
Also following the incident at Epsilon, the Direct Marketing Association followed up with a letter to its members from Senny Boone, the group's senior VP-corporate and social responsibility, urging vigilance.
“When a data breach occurs, it is a very serious matter for the direct marketing community,” Boone wrote. “Data security is ... critically important in building consumer trust in the marketing process.”
Observers say it's essential to find ways to eliminate the personal lapses of key employees with access authorization, who may unwittingly divulge database keys.
“The Epsilon attack was a wake-up call for all of us,” said Adam Blitzer, COO of marketing automation company Pardot, which offers email marketing as part of its lead nurturing and analytics platform. “For example, we recognized that certain people in our company had power-user access to our customers' databases but they didn't really need it.”
Pardot's databases were not affected by the latest hacks, but as a security measure Blitzer is now limiting high-level database access to a few employees. The company has also called for a new level of rigor, similar to that employed by financial institutions, for customers to be able to send an email blast through its platform.
“You really have to force it on your clients,” Blitzer said. “Also, marketers have to ask serious questions of their marketing automation vendors, questions that almost no one does.”
Return Path, which experienced database intrusions late last year, recently introduced its Domain Assurance service to help mitigate similar damage. It allows senders to validate email authentication results across campaigns sent from their domains, including transactional, marketing and corporate messaging.
Return Path's own certification processes are also used by other email service providers.
“We've detected phishing attacks against e-commerce, travel and social networking, in addition to the expected targets in financial services,” said George Bilbrey, president of Return Path. “Basically, any brand that is a household name has become a target for phishing.”
The Domain Assurance service is designed to block phishing emails before they are delivered to a customer's mailbox. Still, the weakest link in a database security program may well remain the individual employee who heedlessly allows a phishing scheme to succeed by clicking on a malicious message.
“Our servers are probed by hackers every single day,” said Pardot's Blitzer. “They probe, you monitor and the firewall blocks. Those are the easy things to do.
“Educating people—the social engineering part—is much tougher,” he said.