Table 2 in Verizon’s 2011 Data Breach Investigations Report suggests that data breaches occur frequently in relatively small companies.

Table 2. Organizational size by number of breaches (number of employees)

1 to 10                                        46

11 to 100                                  436

101 to 1,000                           74

1,001 to 10,000                   49

10,001 to 100,000 59

Over 100,000                       55

Unknown                               40

It may be that these smaller companies have not had the time to construct and test their defenses; hence they represent “low hanging fruit” to attackers either outside or inside.  Larger companies may be more attractive due to their size and potential, but they may also be much more difficult to penetrate.

Regardless of being large or small, it is worth noting that in today’s world there is a high probability that something bad will happen.  It could be an external hack, a social network mistake, or a concentrated effort by external groups to convince you to change your ways (See:  http://www.1goodreason.com/blog/blog/2010/05/19/nestles-social-media-meltdown-case-study/ )

The astute CMO understands that something bad will happen and consequently has a tested Marketing recovery plan in place.  Like an IT or Manufacturing/Operational contingency plan, the Marketing recovery plan swings into action when an “event” occurs.

For example, a small public hi-tech company might wake up one morning and discover that its intellectual property (IP) has been hacked.  Assuming that this might have a material impact on earnings, Management has the responsibility to disclose this information to the SEC and communicate it, in the best way possible, to shareholders and other interested stakeholders.

In a small company, how would this crisis be handled?  Does everyone know what to do?  Who speaks to the press, the SEC, investors, suppliers, employees?  Who instructs customer facing people what to say, how to gather responses, etc. etc.?

Having a tested recovery plan in place mitigates some of the immediate panic and uncertainty when an event occurs.  It certainly is not the time of “on the job” training.  As the voice of the company, it is the CMO’s responsibility to construct and test the Marketing recovery plan.  This includes getting Management’s buy-in on how a response is constructed and communicated.  Failure to act appropriately can severely damage a company’s image and tarnish brands forever.  Both the Chrysler-twitter embarrassment and Epsilon’s reaction/comments to its data breach have been criticized as to how they were handled. On the other hand, the Red Cross got kudos for how it handled a potentially damaging tweet.  See: http://mackcollier.com/red-cross-social-media-crisis-situation/

Does your company have a tested Marketing recovery plan?  Is the Marketing department prepared to lead the way when a crisis occurs?  Knowing that it is a matter of when, not if, an “event” occurs, shouldn’t you be prepared?

RHM  4/27/2011

On Monday I wrote about the lack of security being the ugly side of social media, and how CMOs are responsible for asking, “Is this safe?”

Last Friday Epsilon, an email marketing firm, disclosed that they had been hacked and that some of their customer’s email addresses had been taken/copied by a person or persons unknown.  You can read a NYT’s update here:  http://www.nytimes.com/2011/04/05/business/05hack.html

This has prompted the impacted companies to send out soothing emails. Thus far I have received three different emails, each trying to assure me that this is a minimum risk and not to be worried…urging, as the credit card company says to “only open emails from us.”  But how do I know it is them? (See the Krebs link below for an example of what the bad guys can do!)

This is the point.  The bad people who stole the email addresses are probably sophisticated enough to construct phishing emails, enticing people to open and click here, enabling the bad guys to both download a keystroke logger and ask you to fill out a fraudulent form, which basically means your machine and probably your bank accounts are toast.

So, CMOs at a slew of companies are trying to answer questions relating to how this happened, what the liability is, the impact on their brand, etc. etc.  I doubt if many of them asked Epsilon about their security procedures when they signed the contract, or had their IT experts review Epsilon’s procedures.  Even if they had, I doubt that such information is going to help them now.

The reality is that security in the Internet and relating to social media is weak, and that events like this will continue to happen.  Knowing this is the case it is imperative for CMOs to proceed with caution and to insist (1) that the vendors they deal with adhere to strict security standards, and (2) that they have a tested disaster recovery/reaction plan in place.

Here are two links that may be useful.  The first is from Brian Krebs where he blogs on how to react to phishing attacks.  The second is from MultiNational Merchant and offers suggestions on how to avoid a data breach.

http://krebsonsecurity.com/2011/04/after-epsilon-avoiding-phishing-scams-malware/?

http://multichannelmerchant.com/crosschannel/lists/prevent-email-security-breach-epsilon-0404tpp3/

RHM  4/5/2011

Many blogs and articles have commented on the changes brought about by the Internet and social media.  Almost universally they are positive, talking about collaboration, telecommuting, unparalleled access to information, etc.  Some of the milder negative comments have been about how we are becoming addicted to our mobile devices and the concern that we are “always on.”

There is some conversation about the ugly side of social media.  One area is cyber bullying; another is cyber warfare and Advanced Persistent Threats (APT).  The most frequent is theft, the theft of money and/or intellectual property.  Some people are blogging and talking about it, but I don’t think anyone is listening.  For example:

Brian Krebs of http://krebsonsecurity.com/ has done an excellent job of identifying and exposing thieves who use the Internet to attack and rob small businesses and municipalities.  If the millions of dollars that have been taken were to occur via an armed robbery, it would be front page news, yet it rarely even gets reported.

Bruce Schneier http://www.schneier.com/blog/ often comments on significant attacks and vulnerabilities.  Overall, he is painting a relatively gloomy picture regarding the vulnerability of the Internet, and out ability to defend against an attack.

Mark Gibbs in Network World weighs in periodically on the risks that companies face: http://www.networkworld.com/columnists/2011/040411-backspin.html?

In the New York Times (John Markoff and David Pogue) publish articles from time-to-time about theft and the loss of intellectual property.

Other blogs that provide needed information are http://socialmediasecurity.com/, which is THE source for information about Facebook privacy (among other subjects) and http://www.tradesecretsblog.info/ which tracks intellectual property losses.

My point is that despite observers and commentators bringing this issue to the fore, millions of dollars of real money are being stolen, valuable intellectual property is being compromised, and no-one seems to notice or care…except for the victims and their insurance companies. I say this because it is not only continuing, but the rate and amounts of each theft are increasing.

Most workers will not knowingly put themselves or their company at risk.  Roofers generally wear safety belts while on a roof, machinists wear eye goggles, air hammer operators wear ear protection and yet users of the Internet are unaware of the risks and often dis-engage built in safety protection.

How does this relate to Marketing?  As CMO you represent the face and voice of the company.  You should be optimizing social media use as part of your marketing mix.  You should be experimenting with new and emerging social media tools.  But in doing so, you should also be asking the vendors, implementers, your IT department and everyone else…is this safe?  What is the probability that this device/system/network will be compromised?  What would be the results if this mobile device was lost and fell into the wrong hands?

As I said in my last post, everyone is a target.  The bad guys will go after the easy, low hanging fruit, and then work up to attack the more difficult.  That they were able to get into RSA illustrates the point.

In making decisions about deploying social media do you know what questions to ask about safety and security?  What will be your response, as the responsible person, when an event happens?

RHM  4/2/2011

Two recent social media blunders, one at Chrysler and the other at Aflac, combined with the serious hack disclosed last week of RSA, caught my attention.  The social media blunders seem to be due to youth, inexperience and ignorance.  The RSA hack seems to be an example of a major league sophisticated attack.

What is going to happen to companies when the two forces, ignorance/inexperience and malicious sophistication combine in the social media sphere?

How does a company defend itself when a competitor steals credentials and posts a damaging comment on twitter or a Facebook page?  What protection does a company have regarding its Intellectual Property (IP) when an agency or an employee is compromised via a social engineering attack?  If someone can break into RSA, how hard do you think it would be for a competitor to get a copy of your promotional plans (or pricing, or customer list, or new product roll out, etc) and launch pre-emptive attacks?

That RSA was breeched reinforces the concept that everyone is a target and the question is not “if” but rather “when.”  As the CMO you have to ask and get answers to the following questions:

• Do all employees and agencies understand the concept and reach of social media?
• Have they been trained as to what is right and wrong?
• Have they been trained regarding social engineering?
• Are their consequences for failing to follow clear guidelines?  (In the Chrysler case the employee lost his job and the agency lost the account.)
• Does IT have the necessary tools and equipment in place to monitor and/or catch failures?
• Is there a response policy in place?  Has it been tested?
• Etc.

All public companies must adhere to the concept of risk mitigation as defined in the revised Sarbanes-Oxley law.  However, social media is moving too fast and the IT auditors generally unaware that the emerging social media exposure can present a material risk to a company.  As the CMO it is your responsibility to bring this issue forward.  Failure to do so, along with not implementing mitigating procedures, carries the risk of significant SEC penalties.

Do you understand the risks?  Is your firm safe?  Do you know how to react when an event occurs?  If you would like a review of your policies, procedures and training, contact us

RHM  3/24/2011

 In Forrester’s article titled “ A Close Look At Cloud Computing Security”  by Chenxi Wang, Ph.D. Wang states “While cloud computing is able to deliver many benefits, organizations should not jump on the “cloud” wagon without a compelling business driver and a clear understanding of the security, privacy, compliance, and legal consequences. An effective assessment strategy covering these items will help you reach the ultimate goal: Make the cloud service work like your own IT security department and find ways to secure and optimize your investments in the cloud.”

Forrester includes data protection, disaster recovery, and identity management as some of the areas under security and suggest that an audit of the potential cloud provider to see what level of security is actually provided.

As for compliance, the user should analyze how the cloud may or may not impact one’s compliance requirements.

For legal and contractual issues, Forrester advises that one understands who owns/is responsible for what, between the user and the provider (the data, the infrastructure, etc.)

Another article by Network World’s Jon Brodkin titled “Gartner: Seven Cloud – Computing Security Risks” he talks about seven security risk areas.

1. Privileged user access, sensitive data processed outside the enterprise.

2. Regulatory compliance, how does the cloud provider match your guidelines?

3. Data location, where exactly is your data housed?

 4. Data segregation, understand that your data is “sitting” next to other’s data

 5. Disaster Recovery, what happens when there is an outage?

6.  Investigating inappropriate or illegal activity may be impossible in cloud computing,

7. Long-term viability, what happens if your provider “goes away”?

Another article in Network World that reported on the RSA conference, and stated that the former technical director of NSA, Brian Snow is very concerned about vendors offering cloud computing from a security point of view. He is concerned about vendors not addressing current security issues and about new issues that cloud computing will create.   Ironically another panelist was concerned about “Big Brother” listening in on cloud computing and how this might impact enterprises’ privacy and compliance issues.

So to wrap up, the internet has security issues, and since cloud computing is in the internet, cloud computing will have those security issues, ones listed above, and ones yet to be discovered. It comes down to the risk profile for your corporation; what level of risk is right for your company relative to investing in cloud computing? Obviously part of the risk assessment depends on your type of company.  If you are a financial advisor or in stock management where your intellectual property is basically the company then cloud computing as we currently know it is not right for you at any cost savings. If you resell ping -pong balls (no offense to ping- pong ball resellers) than the risk is relatively low and the savings from cloud computing outweigh the security and other considerations. 

Have you conducted an adequate risk assessment before deciding to move to cloud computing?

RHL 03/10/10

In obtaining this information, the buyer readily gives up some information about himself.  At a minimum, his/her name and email addresses; more detailed information about his/her company, buying intentions and other demographic data if he/she wants a particular white paper or is promised a discount or savings.

This information flows into the Marketing department and usually into an automated Customer Relationship Management (CRM) tool, often under the control of the CMO but maintained by the IT department.

The video below, produced by the ACLU a few years ago, is a tongue-in-cheek representation of what might happen if this information becomes freely available.  However, with data mining tools and loose security it is not too far fetched.

Ordering Pizza in the Future

It is important to note that the EU has an entirely different view of data privacy than the US.  If you work within a multi-national and/or are collecting information about people from outside the US, you need to take added steps to secure this information.

As CMO, are you comfortable that your customer information is secure and cannot slip out of your company?  If not, do you know what steps to take to make it secure?

RHM

11/19/2009

Recent releases, pronouncements and advice from analysts have continued to muddy the waters relating to social networks and networking.

• First, it was tweeted that ESPN was banning their talent from using twitter.  This was later clarified, but a close reading of ESPN’s policy suggests that ESPN personalities will only be tweeting about the weather.

• Then, the NFL took action by issuing a new policy,  ”The NFL, which has an official Twitter account, issued an edict this week banning coaches, players and football operations personnel, or anyone representing them, from updating their status on Twitter, Facebook or other social media during games and up to 90 minutes before and after.“

• This was followed by a research report from CareerBuilder that showed that hiring managers are frequently not making (or making) hiring decisions based on what they find on Facebook pages.

• The security pros got into the act, giving strong endorsement to security luminaries, Marcus Ranum and Hord Tipton when they denounced twitter at a Forrester conference.

• Finally, McKinsey released a report on Web 2.0 that shows that companies are effectively employing Web 2.0 tools, primarily blogs, wikis, and podcosts, but internally, not necessarily externally.

Given the buzz and hype, the mixed and often confusing messages, what position should a CMO take regarding of Web 2.0 or social networking or whatever it is called?

1. The use of new tools is here.  The key is how to best use them to achieve Marketing goals.
2. Indiscriminate use poses significant risk, especially data loss.  The new tools cannot be implemented without firm corporate policies…see ESPN and the NFL for examples.
3. Proof-points exist where they are being used to achieve higher levels of customer satisfaction and in meeting customer needs…see McKinsey.  Building off knowledge learned here can position the Marketer to use these tools in identifying customer needs as well as lead generation and qualification.
4. The “best practice” implementation of these new tools is unknown.  Those using them are trying, potentially failing and trying again.  There is little or no guidance in this area; waiting for the time where guidance and direction exists will be too late in today’s competitive arena.

Does your firm have a Social Networking policy?

Are you monitoring what is being said about you and your company?  If yes, are you responding appropriately?

Do you, as the CMO, have a number of initiatives launched or teed-up using the new social networking tools, risking failure, or are you a laggard waiting until the train has left the station?

RHM – 9/21/2009

In the past, Marketing people collected and retained “portfolios” of their work, to show others, and in the event of moving to a new job to show prospective new employers. These portfolios might contain samples of creative work, brochures, campaigns, Point-of-Sale displays, and so forth. Today, these creative works tend to be electronic and contained on computers.

How can a Marketing person construct a portfolio, especially when faced with a layoff and only having access to his/her material through a company issued computer?

Can they, should they, send copies of the material to their personal email address or copy it to a flash drive or CD? If they do, will it be detectable? What about the legal and moral issues?

Starting with technical questions:

Does deleting emails sent to personal addresses make it harder to find? Not really, especially if the company is intent on looking. There are built-in Microsoft tools as well as multiple third party tools and services available.  In addition, there could/should be logs that indicate activity, pointing to both the origination and deletion of the emails. Advanced Outlook Express Recovery is an example of one of the many such tools that can be used.

What if they were copied them to a CD or thumb drive instead? This makes it a little, but not much harder.  An examination of an employee’s computer can show what was downloaded, to what and when, fairly easily. There are a significant number of forensic tools available to IT administrators to help them discover what was downloaded, if this becomes a question.

On the non-technical side.

Today virtually all companies require a new employee to sign a series of documents as part of the hiring process. One is an Acceptable Use Policy (AUP), which specifies how the company issued computer and the Internet can and should be used during daily activity and in conducting company business.  Basically, the AUP says that everything on the computer belongs to the company and that they can fire you for cause if they find you are looking at porn, gambling, selling goods on eBay, watching ESPN, or anything else they prohibit.

A second document is an Intellectual Property Policy, which says that anything developed by you, while working for the company, belongs to the company.  This prohibits you from taking the formula for Coke, or anything else you developed, while working for the company.

The key is how these documents are interpreted.

If the Marketer is parting on good terms, many companies allow the employee to take copies of past presentations, brochures, white papers, etc. that are samples of the person’s work and in the public domain.  Not allowed would be the report that shows a 200% increase in sales due to the work product.

In addition, if the employee takes generic information that he/she has downloaded off the web, there is usually no problem.  If, however, the company has an agreement with Gartner/Forrester, etc. the proprietary nature of their reports is a no-no.

My observation is that it is in an employer’s best interest to allow a laid-off employee to take his/her information. It shows that the employer trusts the employee, and that by allowing him/her to have the information it potentially shortens their time between jobs. As a result, positive feelings are maintained. It also allows the new employer to make a “better” decision, as they can evaluate the prior work product as part of their hiring decision.

If the Marketer is not leaving on good terms, the employer (1) can easily find that he/she copied information, and (2) has legal standing to cause some problems, i.e., cancelling severance pay, no recommendation, etc.

If the company conducting a layoff does not have a “walk’em out the door” procedure, the Marketer might want to work with his/her manager, saying, “I have worked here for X years, and would like to take some personal and developed information on my computer; will you spend some time copying them to a thumb drive with me?”  The manager might say, “you know what our policies are, copy what you think is appropriate and let me review it.”

If the policy is to escort the laid-off people out the door, cutting off access to their computer, the Marketer might want to provide his/her manager or the HR manager with a list of documents and/or files that he would like, and ask him to forward them to him/her.

Either way, everyone knows what is happening and the company buys into what the Marketer is doing.

When talking with potential new employers, the ability to illustrate work product provides a significant advantage. In today’s electronic age, obtaining copies of this work in the event of being laid-off is difficult, but it can be done. It requires that the Marketer understand how the company interprets its policies and/or by constructing a detailed listing of documents and files beforehand.

Are you prepared?

RHM 7/29/2009

When we were children, the adults in our life provided guidance in the form of information and direction, which they learned from their parents, or acquired themselves through the school of hard knocks. We were instructed not to touch the stove…it is hot and can hurt you; to look both ways before crossing the street…cars can hurt you; and do not run with scissors, you will put your eye out; etc, etc. Sensible advice aimed at helping us as we grew up and experienced the world, as our parents knew it.

Due to the rapid pace of technological change, only a few adults are providing guidance to their children as they learn and use internet skills and social networking tools. A Generation Y /Echo Generation person, raised on a computer, with its immediate access to information, continual linkage to their friends through IM or SMS, and seeing what their friends are doing on Facebook, lives in a different world than someone who remembers a Basic programming class or punch cards.

The issue is that neither the parents nor the children know what to do or how to act. The parents because they have not experienced it, the children because they are generally naïve and trusting, and there is scant education about social networking risks. Interestingly the Government has stepped into this void with some clear information and direction.

Accepting that there are bad people in the world, and that they will take advantage of others for personal gain, the Internet poses risks to people, countries and enterprises. The Lori Drew/Meg Meier suicide case and identify theft are examples of personal attacks. Denial of Service attacks happen daily, and are now deployed by government agencies in state-to-state conflicts. Enterprises are prime targets as BJ’s, TJX Heartland and Choice Point can attest.

On top of the security risks, there are significant marketing risks. Failure to address all of them may negatively impact the company or bring it down completely. Specifically:

1. Is the company using social networking properly? Are we employing the right mix of “traditional” communication technologies with social networking technologies? Failure to use the right mix may allow competitors to gain market share.
2. If the company embraces social networking, and has multiple people blogging and tweeting, along with multiple Facebook pages, is the right message being communicated, consistently? Is the message being undercut by rouge bloggers? See what happened at Whole Foods for an extreme example.
3. If bad people are using the information contained in the Marketing blogs, Facebook, and LinkedIn sites, along with Marketing tweets, to develop social engineering attacks on our company as a whole, or as a way to blunt our marketing programs, what our are defenses and mitigation strategies?
4. What protection is in place to stop company confidential information from leaking out through social networking postings? Are postings by a junior Gen Y person that she is “going to the trade show and we are introducing a feature that will really rock”, or that “We working on closing a multi-million dollar deal with Acme Tool and Die” a concern? What if the posting is more specific? Does everyone understand the sensitive nature of information or commenting about places or things? Making negative comments about Memphis proved to be disastrous.

The bottom line is that no one is providing adult supervision regarding the use and application of social networking tools. The knowledgeable Marketing Manager recognizes the risks, prioritizes them and then works with his department and within the company to teach, learn and lead. However, as with technologies today, speed is critical. Failure to learn, adopt and educate in 2009 may result is some of the negative issues cited above.

How well do you understand all the risks of social networking, and what are your second half 2009 mitigation plans? Will you be called on to explain how something happened when a social network goes south…which is a “when,” not an “if”? Are you prepared?

My next post will answer the question, “Would Smokey the Bandit Tweet?

RHM 6/25/2009