I was hacked. It was December 2019 and I was copied into an email from a client that was forwarded onto their finance department, requesting immediate payment for a late invoice. Given I’d only invoiced a few days previously and my terms are 14 days, I knew this was odd…
Then I saw the forwarded email from ‘me’.
Only it wasn’t. It was from an unscrupulous little sh*t who was trying to take advantage of my business and my customers for their own financial gain.
I’d never felt so sick or so scared in my life.
Thankfully, data breaches aren’t an alien subject to me because I have a few clients working in the worlds of data and cybersecurity. So I had a rough idea of what to do and who call to sort it out without it affecting anyone.
I discovered the hacker entered my IT infrastructure through an old inbox I’d accidently left open after switching hosting providers. They’d used it to send demands for money to everyone I’d ever emailed – and because it was sent from my email account it looked perfectly legitimate.
When it comes to data protection and privacy, the whole experience put me on permanent high alert.
Data protection by design and default
Because I have clients in the data space, and have therefore spent far too many hours reading legislation and the impact when organisations fail to comply, I’ve always designed my business processes with data privacy in mind. Any data I collect within my business is for a very specific purpose, I’ve only ever asked for the bare minimum, and when I no longer need it, I get rid.
Not every company does this. I don’t understand why – not only does collecting more data make you a juicier target, it’s also going to cost you more to store and manage.
But just because you design something a certain way, doesn’t mean it automatically happens – you need to check. I may be a company of 1, but every month I run my documented end-of-month process, which includes deleting any data and information I no longer need.
In making data deletion part of my ‘business-as-usual’ I’m pretty confident that I don’t have any nasty surprises lurking in the shadows.
Being B2B doesn’t automatically protect you
When GDPR was coming into effect, I remember hearing a lot of people say that if you were operating B2B, the rules didn’t really apply to you because the email addresses were business ones, not personal ones. And you could get away with passing any direct communications off under ‘legitimate interest’.
After I was breached and had to make that awful call to the Information Commissioner’s Office (ICO) I remember stressing that I was operating B2B and every email address that had been compromised was a business domain. It didn’t matter because the moment you’re able to identify an individual based on that address, it’s classed as ‘personal information’. Out of the list of emails that had been accessed during my breach, about 3 weren’t something like ‘firstname.surname@ABCcompany.com’.
Compliance isn’t a tick-box exercise
Like most people, I ensured my business was compliant before the GDPR deadline hit in May 2018. The ICO is really helpful and has published guidance that speaks to different businesses and people working in different roles, so I worked my way through the assessments and felt pretty confident my business was ok.
Like a lot of businesses, I then moved on to thinking of other things and didn’t give compliance another thought…
Until I was breached.
Suffering a hack makes you feel completely violated and utterly exposed – mainly because you’ve let your clients be taken advantage of. I was supposed to take care of them and I didn’t. I failed.
It was only after my breach that I incorporated my monthly data-related checks into my month end process. I also had a data security professional check my privacy notice. I changed and strengthened all my passwords and started using 2-factor authentication.
But it’s still not enough.
Nearly a year on I still feel vulnerable.
My business is always changing
I once had a client that said if your business isn’t constantly growing and changing, you’re on the road to ruin – wise words!!
And the fact is that even within a year, my business has changed so much. Not only in the clients I work with, but also how I promote myself.
I know I’ve kept on to of managing my client data, but I’ve never stopped to think about how my new promotional efforts affect the way I interact with data and how that could leave my business exposed. For example, I started tracking my website analytics to analyse and identify my best performing content, and I recently started sending a monthly email newsletter.
Compliance is never about ticking a box to say you’ve done something, it’s about establishing good data management principles to run your business by.
I get by with a little help from my friends!
A few months ago I was taking part in a #FreelanceHeroes Twitter chat that was hosted by Emily Overton – aka RMGirl. She loves data sooo much that she’s carved her whole career out of helping companies to keep their data safe.
The session was incredible, and I think everyone who attended left feeling like they had some homework to do! Thankfully, Emily produced a wonderful guide called “Data Protection for Freelancers” – although to be honest, the insights, tips and guidance applies to every small business.
I was relatively confident about how I use data – like I said, I follow privacy by design. But it turns out I still had areas to fine tune:
- While I’d done all the assessments, I didn’t actually have any evidence saved in a folder. If I was ever challenged by the ICO, I had no way of demonstrating my compliance.
- And it’s made me take a closer look at Google Analytics, how the platform is using personal/behavioural data and questioning whether it’s right for my business.
If someone wants to get into your network they will. But in setting aside one afternoon and reading through the guide with a coffee and cake (naturally!) I genuinely feel like there’s nothing more I can do to keep my customers safe, and therefore no longer feel the need to be constantly looking over my shoulder.
As marketers we’re the biggest risk
Perhaps more than anyone in an organisation, it’s marketers who have the greatest exposure to data – whether through access to the CRM system, and how that customer data is put into the all-important nurture flows. Or how we track metrics on different platforms to inform our lead generation strategies. And how we collect, manage and process data in our outreach campaigns.
Yes, we are responsible for maintaining our brand’s reputation, but more than that, we have a responsibility to our clients to keep their data safe.
If you’re questioning whether you’re doing enough to protect your customers’ data, want to learn more about data protection by design and default, or marketing lists and who you’re allowed to email, you can find Emily’s guide here…