Cybersecurity Awareness at NextRoll

How NextRoll is approaching Cybersecurity in the new decade

Founded (originally as AdRoll) in 2007, NextRoll operated very much like a startup for the better part of a decade. In the last five years or so, we’ve hit quite a growth spurt, both in terms of the size of the business, as well as maturing in its operations. Security has always been a focus for us, especially as we grew quickly in those early years. 

That emphasis recently led to the formation of a dedicated Information Security team to take a systematic approach to NextRoll’s security. Our “InfoSec” team has, in a very short time, added important structure and protection at NextRoll, and continues to improve and increase security – not just for us, but for our customers who trust us with their business.

Our Focus of Data Privacy

One of the biggest concerns right now for almost any company, including NextRoll, is around privacy and data that companies hold and process. As a marketing technology company, we rely on datasets to help our customers place ads and send targeted emails efficiently and thus engage the best possible audience. This data fuels our platform and what makes it so effective, so it’s one of the things we need to protect the most for our customers and our business. 

Since the beginning of COVID, there has been an alarming spike in ransomware attacks and data breaches. “Off the shelf” tools for cybercriminals are now more widely available and easy to use than ever, even for attackers who aren’t very technical. These are typically pre-made scripts or automated tooling that allows an [non-sophisticated] attacker to run simple but effective scans against websites and web apps. If there’s a way they can “sneak in,'' the tool will alert them. And with a few clicks later, without proper security, the attacker could have their hands on some very sensitive information. So how do we approach the task of securing the company and our customers?

Our strategy at NextRoll has several facets. We use a whole suite of tools and services that give us visibility across our environment and network, but they are also our early warning system. They alert us to irregularities or suspicious activity in our environment. Once we’re alerted, we investigate the issue and remediate it if necessary.

We also engage with a “bug bounty” platform, where independent security researchers find and report vulnerabilities to us in what’s called “Responsible Disclosure.” These researchers have the same skill sets as cybercriminals, but instead of trying to attack us or hold our systems for ransom, they report issues to us and we give them a financial reward, or “bounty.” This has proved to be a very complementary method to our existing tools, as it tends to reveal some of our blind spots, but ultimately it aids in our ability to detect and fix vulnerabilities.

Educating Rollers on Cybersecurity Trends

It’s estimated that the majority of breaches at companies happen at the employee level, where they are somehow compromised by an attacker. This is why one of the most important things we do towards our security is to create awareness among our employees. While many companies host an annual security training requirement, and we do too, we go a step further to look for ways to engage in security conversations throughout the year. 

In January, we promoted “Privacy Day” events, which included activities such as “privacy health checks” and reminders of security best practices and hygiene (e.g. using password managers to create complex and unique logins for respective accounts, using two-factor authentication, being conscious and intentional about what information is shared online). Prior to COVID, we used an “escape room” format to teach everyday security concepts. Our philosophy is if our people are following security best practices, and they themselves are secure, then NextRoll and our customers will be more secure as well.

This philosophy extends also to our executives. We conduct what’s known as a “tabletop exercise,” where executives and other key leaders participate in a simulated incident response. This allows us to practice our Incident and Breach Response process, as well as identify any potential gaps in the response. While we take as many measures as possible to prevent a breach from ever happening, practicing the process helps our state of readiness.

NextRoll’s SOC 2 Certification

All of this work probably sounds great, but we’ve also got the papers to prove it! Last year we completed our first SOC 2 (Type 2) certification, and we recently received our 2021 certification and report. We’ll continue to undergo this certification annually, and our reports are available to clients or potential clients upon request.

SOC 2 is an audit, conducted by a third party, which examines our policies and processes. We started with our first two focus areas – Security and Privacy – but we will expand our SOC 2 compliance into additional focus areas in the future.

Achieving SOC 2 certification means a company-wide effort ensued to ensure we satisfied all security and privacy audit requirements. Our processes, technologies, and people were aligned to demonstrate adherence to the best practices related to risk management, security governance, training and awareness, people management, change and configuration management, and business continuity.

The Future of Cybersecurity

There are a lot of new questions around the new era of privacy that we’re moving into and how that will affect cybersecurity – for better or for worse. With more legislation and regulation in the U.S. – like the California Consumer Privacy Act (CCPA) – and the world – like General Data Protection Regulation (GDPR) – privacy is something that’s not just a good thing to practice early and often, but it’s something businesses must take very seriously. 

As the requirements around protecting individuals’ data and privacy are more defined, we’re expanding and hardening our security around those pieces of data. And as our NextRoll business model relies so heavily on this type of data, we have always prioritized security around it, and we will continue to strengthen it – not only to meet regulatory requirements but to maintain the trust and confidence of our business unit customers. 

The landscape of cybersecurity, and the threats we try to protect against, are always evolving. Our team stays ahead of the curve and proactively fights threats by collaborating and connecting with InfoSec security leaders and colleagues. By sharing security best practices and staying plugged into wider security communities, we’re learning from challenges other companies face in today’s tech landscape. In this way, we benefit from not only learning from our own environment but also applying lessons learned by so many others across the security industry.