There’s an old aphorism which is as true today as when it was first couched; a fence is only a barrier to those who don’t really want to get in. It’s not the most reassuring adage in the world. In fact, for those of us in email marketing, it encapsulates the threat that we live under as we go about our business.

If that hasn’t depressed you enough, the ICO reports that there has been a steady increase in the number, and severity, of data breaches caused by ransomware during 2020/2021. On the positive side, there are ways to limit your risks.

Ransomware, for those of you living in blissful ignorance, is a type of malware that unlawfully encrypts files on the computers of others demands money as the price of de-encrypting them. It’s blackmail. Not only that, the norm is that your email marketing list data will be accessible to criminals.

As is the norm with the ICO, they have a sort of stick/carrot approach to limiting the such attacks. They provide a checklist to assist in reducing your vulnerability, with the headings of: Governance, Asset identification, Technical control selection, Access controls, Vulnerability management, Staff education and awareness, Detection, Incident response, Disaster recovery, and Assurance. It is a lot of work, although if you feel like avoiding it, beware. This is where the ICO’s big stick comes into it.

The threat is not only that you lose access and control over the personal data of your subscribers, but that such loss will be permanent, even if you pay. It is probable a company affected by ransomware will be further attacked by, for instance, phishing. Your subscribers’ personal data can, and probably will, be used for criminal activities. On top of that, loss of the data of subscribers to your email marketing list, and other customers, might well constitute an offence for which you are liable to be heavily fined.

You might feel that SMEs are not at risk from attack because you have limited data, and these criminals will obviously target businesses with more data. That’s comforting. Unfortunately, it’s not true. The methods used to attack companies mean that everybody is in the crosshairs. 

To put it simply, all your data is at risk, the likelihood of the subscribers to email marketing lists remaining after a breach is low, ransomware will seriously inconvenience your business and the ICO will take a serious view of the matter. In other words, you need to do something about your security.

Go to https://www.ncsc.gov.uk/cyberessentials/overview . The rather grandly named National Cyber Security Council is there to assist you in preventing the more common types of attacks. The measures described are a requirement under the GPDR. You need to implement them not only to protect yourself from ransomware, but to protect your company from punishment by the ICO. It says on the original page linked that you should ensure you document and appropriately retain your records as you may need to submit them to the ICO. The implications of that are clear.

We will visit this again in the future.