For every dollar marketers spend on influencer marketing, they generate $6.50 in revenue, a compelling return on investment for companies looking to reach new audiences in specific verticals. For the uninitiated, influencers are social media personalities who partner with marketers to promote products to their followers, typically through sponsored content.
Influencer marketing ad spend is set to reach between $5 billion and $10 billion in 2022, a five-year compound annual growth rate (CAGR) of 38 percent, as firms continue to invest in marketing cloud services. At this point it is impossible to browse Instagram or watch YouTube and not see evidence of this burgeoning market, but lately influencer marketing has been making news for the wrong reasons.
Aside from recent headlines around influencers buying fake followers, earlier this month it was reported that a marketing agency exposed personal data belonging to thousands of influencers through a misconfigured Amazon S3 bucket. Per UpGuard researcher Chris Vickery, who made the discovery on Jan. 4, the data contained a “surprising level” of detail on thousands of influencers – including phone numbers, physical addresses and hashed passwords.
While Vickery has made other similar discoveries of companies not having the proper controls in place for Amazon S3 buckets, what made this one different is the high value potential targets for attackers in the thousands of influencers whose personally identifiable information was left in the open because of misconfigured marketing cloud services.
“They’re all web celebrities, they’re not just millions and millions of random Joe Smiths and Jane Does,” he said. “It’s highly specific, curated people … every single one of them would be a high value target.”
Vickery, who has worked at director of cyber risk research at UpGuard since April, has found that 80 percent of data breaches can be traced back to misconfigurations, not bad actors. Through his research he has found private data belonging to millions of citizens in voting records and customer data sitting on open storage buckets in the cloud.
Marketing Cloud Services Must Address Specific Security Concerns
Though marketing companies like Octoly deal with swaths of data that help them develop targeted campaigns, they may not well-versed in marketing cloud services or security. Agencies can of course supplement this expertise with outside help or internal hires, but that assumes they have prioritized spending on marketing cloud services or security that they may view as non-essential to their innovation.
“What marketing companies can do is make sure they aren’t only seeing themselves as just a marketing company,” Vickery said. “If they’re dealing with the web, they need to realize that they are not only marketing, they are a tech company as well, and they need to have a tech staff, especially if they are putting stuff up on the cloud.”
Through his communication with Octoly, Vickery said it was clear that the company didn’t have a solid grasp on cloud technology. Its incident response was weak; it was difficult to get an initial response from the company as calls and direct messages went unanswered, he said.
Marketers must understand that it is “very easy to accumulate a lot of liability just by buying lists” and that there needs to be an adequate investment in security as they store this kind of sensitive information, Vickery said.
Often, the information marketing agencies store goes beyond just addresses and phone numbers; agencies often store data related to behavior which is used to deliver a personalized experience. Chris Geiser, Chief Technology Officer at digital marketing agency The Garrigan Lyman Group, said that as personalization has become one of the keys in digital marketing, an agency has even more responsibility to keep this data secure. The company relies on security solutions from Alert Logic to help it detect anomalies in real-time.
“As you think about someone building a website and they want to target and retarget once that person raises their hand that they are a potential customer, you want to personalize that experience as much as you can,” Geiser said. “Now it’s incumbent upon you that that user has trusted you with this exchange of information that if you’re going to be able to deliver this personalized experience which they said that they wanted, they’re trusting you. It becomes that much creepier when somebody’s behavioral preferences are subtly provided but not so subtly exposed; that could be a huge violation of trust.”
To help ensure that this data stays secure, marketing agencies must not only ensure they have access either internally or externally to people who understand technology, but also educate non-technical employees on how to interact with sensitive data.
“In the case of cloud storage and data for marketing agencies, the largest risks are hacking, data leakage and data loss,” said Rick Deacon, CEO of Apozy, a cybersecurity platform and browser extension. “Data loss/leakage occurs when information is uploaded incorrectly or to an insecure service which gets breached.”
He said the most common mistakes he sees are employees uploading files to the wrong cloud service, unwittingly becoming victims of phishing, or putting information in improperly secured folders.
“There are a few things that can be done to prevent these from occurring,” Deacon said. “First, a clear policy and procedure for uploading information to the cloud. That is, a sanctioned service and a very specific method of uploading documents or materials. The materials should only be uploaded to secure folders that are endorsed by the company. No information should be stored in ‘personal’ cloud folders.”
Aside from ensuring there are clear policies in place for uploading data to the cloud, it is critical for marketing agencies to have preventative measures in place for phishing and malware, as well as using encryption and good password hygiene, Deacon said.
Above all else, it is important for marketing agencies that want to explore cloud technologies do so at a pace that is comfortable and realistic.
“Do it in a careful manner and make sure you consult with someone that knows what they’re doing if you don’t have someone on staff who knows the technology,” Vickery said. “Make sure you take the time to train your current IT staff and allow them the resources to learn about cloud technology before jumping headlong into it. it’s not one of those things that you can do overnight and migrate everything, you’ve got to be careful about it and don’t rush your developers or tech staff to understand or get things done on a certain timetable.”
Compliance is King in Marketing Cloud Services
Geiser, who has worked at The Garrigan Lyman Group for 21 years on digital advertising, enterprise architecture and enterprise application building and hosting projects, said in working with clients the first question he asks is what compliance requirements they have.
“The interesting thing about working at an agency like ours is you have to take on the responsibility of the compliance regime of your client,” Geiser said, which can be varied, depending on the nature of the clients’ business. And it will only get more complex as GDPR requirements take effect in May.
“Usually when security and performance considerations are done as an afterthought you don’t get the best results,” he said.
Hostway SVP of marketing David Rodriguez said that it is important for agencies to be sure that their technology partners can meet the compliance requirements specific to the verticals they serve.
“Always use a trusted provider that has PCI capabilities; even HIPAA and HITRUST can be important if your target markets include healthcare,” Rodriguez said. “There are many facets to what is considered PHI and one misstep can cause a marketing firm that has patient information thousands of dollars in fees. Use these standard compliance best practices in your own data aggregation and usage to make sure you are keeping your market data secure.”
Even if a marketing agency doesn’t work with any clients in highly regulated industries like healthcare, it doesn’t mean they aren’t a target. This line of thinking is a big mistake, Geiser said.
“We still to this day hear a lot of clients say, ‘oh yeah, maybe that piece isn’t so important because who would want to hack us? Why would they care?’ and I think that over the last 20 years I’ve been here when encryption wasn’t a thing, to when encryption became a thing, to now when encryption is the thing, I think the fundamental shift has been that people are just starting to come around to the fact that everybody is a target,” he said.
“The way that the enemy works is they walk down the street and jiggle door knobs until they find one that is open, they yell anybody home, and if nobody answers they rob the house,” Geiser said.