This paper is intended for all business segments including members of the interactive messaging ecosystem most recently victimized by breaches and data loss incidents. OTA suggests organizations create a cross-functional team to review these recommendations and develop a prioritized game plan based on their assessment of risks associated with their current data flows and practices.
Few events can damage a company’s brand and the trust of its customers more than a data incident, either the loss or misuse of customer data. We’ve witnessed in recent months cybercriminals targeting the email and interactive messaging ecosystem with increased malice and precision. Every brand and service provider in this ecosystem needs to understand the nature of these attacks, recognize their data is at risk and plan accordingly. Left unchecked, multiple data incidents across an industry and online can trigger a meltdown in consumer trust and damage the viability of online communication and commerce.
The ‘Security by Design’ framework is a holistic approach to security. It is predicated on the belief that all members of the messaging community have a stake in the preservation of consumer trust. Data stewardship is everyone’s responsibility and creating a culture of security is a critical priority as we move into an era of data-driven cross-channel communications and platforms.
OTA believes all businesses must take security and privacy seriously, and not wait for government regulation to force our hand. Effective self-regulation and transparency will enhance the vitality of our industry and advance the interests of all legitimate stakeholders, but its absence will have the opposite and significantly detrimental effect.
This document provides a security framework that every business and technical leader should carefully consider. To assist in the development of a plan, a series of twenty questions are included to stimulate internal review. These security best practices are presented as a starting point for security professionals and operations managers as they seek to assess their data and operational security requirements.1
1 Note: these recommendations do not override other standards that apply to specific industries, such as the financial services, PCI credit data and health care sectors. Those recommendations deemed appropriate should be included in internal operating guidelines and stipulated in RFPs and agreements with third parties.
