Do you ask your webinar registrants for contact information such as name, email, fax and telephone number? I’ll bet you try to keep that information secure. At least I hope you do. Imagine how badly your reputation would be tarnished if hackers and spammers could suddenly start contacting your past registrants via those channels.
But you aren’t the only one with that information… It lives on the servers of your web conferencing software vendor. Where do you think you got the reports from? Do you know how long the data stays there? Do you know how the vendor safeguards the data? After all, they are a juicier target than you. They store data for thousands of clients and webinars. Potentially millions of records.
It’s getting more common now for webinar vendors or service-supplying OEMs to accept payments on your behalf for fee-based webinars. If they hand off to a third party payment processor, you should verify that the financial data is completely transparent to the web conferencing vendor and that they never have a chance to intercept the information. But if they actually perform the payment processing themselves, you need to get seriously concerned.
Rick Olson is President and CEO of KRM Information Services. KRM is a services supplier that uses third party web conferencing software and also handles payment processing for attendee funded webinars. Rick shared with me some very interesting documents that they produced for their clients. One is a short 3-page whitepaper with seven key questions to ask your web conferencing provider about their security arrangements. You can download a copy from the KRM website by providing your contact information on www.krm.com/security. Of course KRM assures you that your contact information is safe because they adhere to proper security practices on all seven points!
The second document is not available to you. Rick gave me an insider’s look at an answer guide they produced for their own employees to use in answering prospect or client questions about security. An eye-opening statistic was just what it costs KRM to test and verify financial data security on an ongoing basis.
KRM has to pass two separate audits of their data security. Payment Card Industry (PCI) data security standards specify monthly vulnerability scans of externally accessible components. Then there is an annual external penetration test and an internal penetration test to see what damage could be done by someone who gets inside the company’s own firewall.
KRM spends $13,000 a year on those tests by a certified security firm and Rick estimates that it uses another $7,000 of internal staff time.
But that’s the cheap certification! A more stringent security verification is known as SSAE 16. This auditing standard for service organizations handling financial information is filled with confusing acronyms such as SOC 1, which covers internal controls. Rick says that they spend $50,000 a year on SSAE 16 audits and use up another $20,000 of KRM staff time.
So the cost of simply verifying the operation of KRM’s security arrangements is around $90,000 a year. And remember, that doesn’t count the systems, software, and staff time necessary to implement the security levels!
I had no idea the burden of proof was so high for companies handling financial data. Now I see why most vendors simply turn your registrants over to an external payment processor such as PayPal. If they don’t, you should definitely check on them to make sure they aren’t cutting corners to save a buck on security.
Even if they don’t handle financial data, it’s worth asking about the security of your registrant contact information. If you think it’s a low-probability concern, read this article from InformationWeek on data breaches in 2011. A conservative estimate of last year’s data breaches is 535 breaches involving 30.4 million sensitive records. Scary.