Working with Concep to prevent data breaches

Rory Taylor, CTO, Concep

Data breaches can cause devastating financial losses and affect an organization’s reputation for years. In the US alone, the average cost of a data breach is USD 3.92 million.

From lost business to regulatory fines, data breaches have far reaching consequences. In a professional services environment where firms rely on trusted relationships to do business, the impact and reputational fall-out can be devastating.

With the advance of technology solutions, and an increasing number of devices connected to the internet per user, combined with third-party applications, it can often be hard to identify and secure the source of the breach.

The riskiest threat to data security comes from within

Studies have shown that the biggest threat of data breach is likely to come from lack of staff training and awareness. In fact, a Ponemon Institute report suggests 64% of security breaches are caused by user negligence alone.

One of the most common data security scams is phishing. Phishing emails look like they are from a company you know or trust. They will often include links that make reference to credible information including fake invoices, notice of a pending refund – or sometimes just a note about lunch!  Employees are led to believe that the information is important or useful to them and will click on a link to a fraudulent website where they may be asked to share sensitive information; or they may open an attachment that will install malware, spyware, or worse still, ransomware, on their device.

Recently, Boston-based law firm Prince Lobel Tye LLP was the victim of a phishing scheme causing their contacts to receive fake invoices from the firm for large sums of money.  The firm, which uses a third-party platform to deliver their emails, was initially sure the breach had not come from them and looked to the platform vendor for explanation. The vendor confirmed that the incident was "not due to any breach or security lapse on their end”, rather the law firms’ login credentials to their email marketing platform had been compromised. 

The repercussions and publicity from the breach have raised awareness of the risk amongst professional services firms that use third-party platforms like Concep.  As a marketing platform that connects and integrates with client’s internal systems, Concep has solutions in place to help our clients make logins more secure and lower the risk of incidents like this from happening.

What does Concep do to help firms mitigate the risk of data breach?

Unfortunately nothing can prevent an attacker logging in if they have valid user credentials. Concep deploys a number of powerful mechanisms that help prevent platform user accounts from being accessed or used by unauthorised people:

  1. Campaign Approvals Feature

Concep’s e-mail marketing capability has a campaign approval settings feature. Approvals can be applied to all individual Concep Send accounts and campaigns assigned to one or more predetermined admins -  or senior members of staff  - so that communications do not go out unless they have been specifically approved.This helps ensure that emails are sent to recipients free of errors and within branding guidelines. From a security perspective, it also helps to ensure that no malicious or suspicious communications go out. 

  1. Single Sign-On (SSO) and Multi-Factor Authentication (MFA)

The more portals or platforms a user has to sign in to – the higher the security risk.  Implementing a Single Sign-On solution can help reduce the risk of a user forgetting the password or using a very weak one. SSO authenticates the user on one platform and gives them access to other areas or services without having to log in again. It not only saves the user time and effort; it is also effective for IT monitoring and controlling security.

Increasingly, a password alone is not always sufficient to create a secure environment. Alongside SSO, an additional layer of security - multi-factor authentication or MFA can be enabled. If the first layer is something you know - like a code, a PIN or a password, the second layer involves something you have – usually a smart phone or other mobile device. By combining both layers, firms can authenticate the veracity of the login attempt and grant secure access.

  1. Microsoft Azure Active Directory

Microsoft’s Azure Active Directory (Azure AD) provides both SSO and MFA to help protect users from 99.9 per cent of cybersecurity attacks. Concep Send offers the ability to connect with Azure Active Directory allowing users to access their Concep account without logging in separately making using our platform even more secure.  

What can Concep users do to prevent accounts being compromised?

The responsibility to mitigate security risk also lies with the end-user.  Concep strongly recommends our platform users take a proactive approach to prevent their account from being compromised. There are 3 things they can do:

#1 Update your passwords. Firms should be agreeing the frequency that a password needs to be changed and provide timely prompts that also set the strength of the password.

#2 Ensure you have individual accounts and avoid sharing an account with the same username and password.

#3 Find out what your corporate security policies are and make them part of your marketing compliance and pro-security team culture.

Taking a corporate approach

Professional Services firms of all sizes should regularly communicate their corporate security policies to their employees and have processes in place to ensure these are adhered to.  Training and awareness of staff are key to mitigating risks. Encourage employees to ask about a suspicious phishing email before they open it and quickly communicate the scam to other employees.  By creating a proactive stay-safe culture, firms will make huge strides in preventing cyber-attacks and avoiding the repercussions.

Managing information security responsibly cannot be achieved in isolation, it requires action at an organisational IT policy level, solutions from third-party vendors and discipline from the end users. Working together we can help prevent data breaches.

For more information on the requirements needed to deploy Concep’s professional services marketing platform using secure single sign on, multi-factor authentication, or Azure Active Directory, contact our team.