Penquin Blog

Can you trust your advertising agency with your data?

Written by Mandy Davis | January 29, 2020 at 10:33 AM

This is no “due diligence” post - cyber security will be our biggest challenge in times to come! Make sure you can trust your agency with your data.

Here’s a modern horror story: a cyber security breach, on average, costs R5.64 million, and takes 279 days to identify and contain. 

 

That's according to IBM Security and Ponemon Institute’s 2019 'Cost of a Data Breach' Report. The data is pretty bleak and paints a dire picture of the current state of the world's cyber security.  

Screen grab from the 'Cost of a Data Breach' Report.

And it just gets worse! In fact for most security experts (certainly the ones we spoke to) a breach is a matter of WHEN, not IF. 

 

Explains IT expert Lukas van der Merwe, specialist sales executive for security at T-Systems South Africa, “Cyber attacks are increasing exponentially.“ According to global data from T-Systems, in 2017 cyber attacks peaked at 4 million. In 2019, this number was a gut-wrenching 53 million. We’ve seen this in South Africa, with some major institutions coming under attack - from the City of Johannesburg itself, to internet service providers (ISP) and even a major newspaper

 

Now the question you need to ask yourself: is your marketing agency protecting your data like they should?

Not only are there legal consequences to being careless with data and client information, there are quite hefty financial consequences too - apart from a loss in client trust, there are also massive fines if you break GDPR legislation. These consequences apply to both the client and the agency! That’s one of many reasons why we take data security very seriously at Penquin. 

SYSTEMS IN PLACE

To keep our clients secure, we have invested in some very serious data security measures. 

Firstly, we undergo cyber security audits by BDO. These ensure we’re compliant in our policies and our IT infrastructure, and they’re extremely thorough. As they explain, “[We’re] proudly innovative and backed with a highly skilled team of cyber consultants ranging from forensic investigators, data scientists, analysts, ethical hackers, business intelligence experts, IT auditors, change management experts and cutting edge forensic analytics technologies.” Penquin actually goes through a BDO audit each year to make sure we’re keeping our security in top shape. 

 

Secondly, as I touched on above, we have pretty solid security policies in place: for laptops, cellphones, networks, as well as policies for how we process and store data for clients, suppliers and freelancers. “Each company needs to enforce a very strict IT policy around the use of company equipment and the access to external networks,” says Johnny Kromer, Technology Executive at Nashua Communications. 

Thirdly, we actually test our system to see just how vulnerable we are. We enlist a bunch of ethical hackers from Decode to do a  bi-annual penetration by many different avenues: they hack every single individual and try to get their passwords, they attack our printers and firewalls and everything you can think of. They then give us a vulnerability report with a list of critical areas to fix - and expert advice on how to rectify those things. 

 

Fourthly, we have a thorough IT infrastructure in place. For example, each laptop has a bitlocker so even if it’s stolen, the data can’t be accessed because it’s encrypted. 

 

Added to this, van der Merwe at T-Systems South Africa recommends enabling 2-factor authentication on everything possible, including Whatsapp and Facebook. 

But, even with all that in place, there’s one thing we have to admit… 

EMPLOYEES ARE YOUR BIGGEST RISK 

“An employee who sees security as an impediment is on the side of the attacker, since they’re likely to circumvent safeguards in the name of productivity,” warns Jon Tullett, senior research manager, at IT services sub-Saharan Africa, IDC South Africa, “But equally, if your staff are complaining about security barriers to productivity, take THAT seriously because they’re going to be looking for ways around it. Be aware that you ARE a target and be sceptical of approaches by strangers.” 

 

To navigate this very real risk, we do quarterly cyber security training and have our ethical hackers send out phishing mails to see if people open them and access the links, making the system vulnerable. As Kromer from Nashua says, “Each person needs to think of the company they work for as if it is their own and act in a manner that will protect their company at all costs. (If it was your company, would you go to that website?)”

 

Forbes Africa also warns about some of the physical ways people can get hacked in the extract below: 

 

  • Remote working and open laptops when heading to the loo: best practice is to enable auto-locking after a certain period of inactivity.

  • Over the shoulder hacks: don’t, for example, work on vulnerable files in a public space like the Gautrain where people can peer over your shoulder.

  • Eavesdropping: ever said your ID number or password out loud in a coffee shop? Yeah, don’t do that.

  • Unshredded document: One expert we interviewed had his identity stolen through unshredded documents - this is a real risk! 

  • Passwords physically written down: the Post It note password on your laptop is a terrible idea.

With regular training, we work to change behaviour and in the end that is the best way to secure your data. 

WHAT DO TO IF THE WORST HAPPENS 

As much as we hate to admit it, it’s still possible to get hacked - even with all those measures in place. Because of that I’ve spent hours and hours working out a digital disaster recovery plan. This was signed off by the company’s directors and covers:

 

  • Infrasture: things like off site mirrored back-ups, and a list of equipment. 
  • People: emergency contact people - who are our key members to run the disaster recovery plan (this includes a plan for press releases, contacting clients, and so on).
  • Speed: how quickly we could get it up and running, for example, James in media to deal with media press release and statement; responsible to contact clients, operational suppliers, have specific people. 

But to end more positively, Tullet says, “There are genuine steps you can take, as an employer or employee, to work more securely. You just need to think differently and be willing to change some of the (often conservative) assumptions about how business has to be done, how technology has to be deployed, and how risk has to be managed.”

 

With our dedicated approach to cyber security - and no rose-tinted glasses in sight - we know we’re doing the best for our clients and for our staff. 

Not sure how to tell if your agency has taken every precaution to protect your sensitive data? Download our handy checklist with questions to ask your agency about data security.

P.S. Don't forget to share these tips with your friends and family to help build awareness around the importance of data security.