A guide to selecting a secure virtual community or event platform
Given the unprecedented nature of the COVID-19 pandemic that has led to explosive growth in the virtual event space, it’s no surprise that many companies are scrambling to find new tools to help them stay engaged with their customers. However, many new platforms have not implemented enterprise security features and protocol. So it’s imperative that you select SaaS community platforms with strong data security measures already in place. Failure to do so will result in losing the trust of your customers, your community and your brand equity. The past decade was dominated by headlines of brands that failed their customers when it came to protecting personal data. You don’t want to be next on this list.
When building customer communities, you’re going to be processing a lot of personal data and information. Ensuring that the tools you’re using are taking proper security measures should be a big priority for every community team.
The reality of data breaches
Data breaches have eroded trust and led to significant safeguards needed to address the growing risk to consumer protection and privacy. McKinsey & Company reported the breaches have also promoted the increased use of tools that give people more control over their data. One in ten internet users around the world (and three in ten US users) deploy ad-blocking software that can prevent companies from tracking online activity. The great majority of respondents—87 percent—said they would not do business with a company if they had concerns about its security practices. Seventy-one percent said they would stop doing business with a company if it gave away sensitive data without permission.
Unfortunately, security hasn’t been a huge priority for companies in 2020. Following the outbreak of the coronavirus, companies all over the world cancelled user conferences and business travel that previously generated billions of dollars in pipeline and customer engagement. They needed a quick fix to finding virtual event and online community tools that would replace their field marketing, conference events, and other in-person interactions. As a result, many of the safeguards and data governance policies that companies should prioritize took a back seat. And the reality is most policies didn’t go far enough to product community member data in the first place.
Prioritizing security in your community
The Harvard Business Review reported that the most common data protection approach currently being followed by businesses is to control access to the data after it’s been gathered. This access control approach is woefully inadequate for multiple reasons. First, as soon as a company shares data either internally or externally, its ability to control access deteriorates rapidly. Because many companies will enter into second party data sharing.
Further, practices like pseudonymization (which will be required by GDPR) — defined as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information” — are not sufficient. This is because the combination of age range, timestamp, gender, and zip code creates a unique population record which can be linked to the additional information.
In a world of increased complexity and competition, trust with your customers is your most important asset. Over the past few years, data privacy and protection measures have placed increased demands on CIO and CTO organizations. 2020 has brought a whole new set of challenges. It’s tempting for many organizations to look for short term solutions when it comes to exploring new SaaS platforms. But it can be reckless and risky to leave your customer data vulnerable.
As outlined in the CMX Guide to Selecting a Community Platform, when you invest in any community platform, you make a list of requirements that platform needs to have in order for them to be feasible to use. Security and compliance should be high on your list. Here is a checklist of five things you need to consider about the safety and security of your community member’s information.
Five things to consider before selecting community software
1. Data Ownership
Who actually owns your customer data? Given all the current privacy protections, it’s not surprising that some people are lulled into a false sense of security. When you consider using a virtual event or community platform, it’s critical that you read the fine print. Many platforms disclose, transfer or share your Customer’s Personal Data with certain third parties without further notice to you.
2. ISO Certifications
ISO certification certifies that a management system, manufacturing process, service, or documentation procedure has all the requirements for standardization and quality assurance. Fundamentally a management system for information security should be in place; Security policy should be set by company leadership and regularly reviewed. Regular management reviews, considering the internal and external context of the organization should assure continuing relevance of the management framework as well as information security practices.
3. SOC 2 Reporting
Modern SaaS providers handling enterprise data should be able to deliver a SOC 2 report that is no more than twelve months old. This provides an interested party an independent assessment of a firm’s technical controls as related to a set of trust services criteria. SOC 2 Type 1 reports report on a snapshot of what the auditors found at the time of their analysis. SOC 2 Type 2 reports are generally more involved reports on what the auditors discovered over a review period of usually three to twelve months. In the end SOC 2 reports represent important documentation for vendor risk assessments.
4. External Penetration Tests
Again, there is tremendous value in independent, third-party assessments. Your virtual event provider should contract at least annually with highly experienced security researchers to evaluate the security of our product offering. These evaluations are in-depth and substantial time investments. Of course, they should care about security and perform evaluations internally as well – but an educated outside perspective is extremely important.
5. Secure Product Development Practices
Raising security and privacy concerns during requirements elicitation and design discussions, thoughtful code reviews, selecting and adherence to meaningful application security review frameworks, assuring of automated, security-related tests, and much more – all this matters greatly. At Bevy we have been investing in this for years.
These are just a few of the top considerations you should be aware of when thinking about a virtual event or community platform. As many organizations search for new tools and technology to navigate these uncharted waters, we all need to remain vigilant to protect our communities.