Table 2 in Verizon’s 2011 Data Breach Investigations Report suggests that data breaches occur frequently in relatively small companies.

Table 2. Organizational size by number of breaches (number of employees)

1 to 10                                        46

11 to 100                                  436

101 to 1,000                           74

1,001 to 10,000                   49

10,001 to 100,000 59

Over 100,000                       55

Unknown                               40

It may be that these smaller companies have not had the time to construct and test their defenses; hence they represent “low hanging fruit” to attackers either outside or inside.  Larger companies may be more attractive due to their size and potential, but they may also be much more difficult to penetrate.

Regardless of being large or small, it is worth noting that in today’s world there is a high probability that something bad will happen.  It could be an external hack, a social network mistake, or a concentrated effort by external groups to convince you to change your ways (See:  http://www.1goodreason.com/blog/blog/2010/05/19/nestles-social-media-meltdown-case-study/ )

The astute CMO understands that something bad will happen and consequently has a tested Marketing recovery plan in place.  Like an IT or Manufacturing/Operational contingency plan, the Marketing recovery plan swings into action when an “event” occurs.

For example, a small public hi-tech company might wake up one morning and discover that its intellectual property (IP) has been hacked.  Assuming that this might have a material impact on earnings, Management has the responsibility to disclose this information to the SEC and communicate it, in the best way possible, to shareholders and other interested stakeholders.

In a small company, how would this crisis be handled?  Does everyone know what to do?  Who speaks to the press, the SEC, investors, suppliers, employees?  Who instructs customer facing people what to say, how to gather responses, etc. etc.?

Having a tested recovery plan in place mitigates some of the immediate panic and uncertainty when an event occurs.  It certainly is not the time of “on the job” training.  As the voice of the company, it is the CMO’s responsibility to construct and test the Marketing recovery plan.  This includes getting Management’s buy-in on how a response is constructed and communicated.  Failure to act appropriately can severely damage a company’s image and tarnish brands forever.  Both the Chrysler-twitter embarrassment and Epsilon’s reaction/comments to its data breach have been criticized as to how they were handled. On the other hand, the Red Cross got kudos for how it handled a potentially damaging tweet.  See: http://mackcollier.com/red-cross-social-media-crisis-situation/

Does your company have a tested Marketing recovery plan?  Is the Marketing department prepared to lead the way when a crisis occurs?  Knowing that it is a matter of when, not if, an “event” occurs, shouldn’t you be prepared?

RHM  4/27/2011

Email is in a gray area.  As marketers we use it to generate leads, nurture potential buyers through the buying cycle and to keep our current customers up-to-date.  As recipients we know that much of email is SPAM, and have it blocked by corporate SPAM filters and often delete it from those that we do not know. We have been taught by to never open an email attachment from someone we do not know or to click on a download button…yet many of us do, often with disastrous results.

The ripple effect of incidents at RSA and Epsilon suggest that a seismic change to marketing’s use of email may take place.  RSA was breached and core information taken.  RSA has reported:

“The attack itself involved a targeted phishing campaign that used a Flash object embedded in an Excel file. The assault, probably selected after reconnaissance work on social networking sites, was ultimately aimed at planting back-door malware on machines on RSA’s network, according to a blog post by Uri Rivner, head of new technologies, identity protection and verification at RSA.”

What is surprising about this attack is that RSA employees, who should be knowledgeable about security, were taken in by it.  If they were spoofed, what is the likelihood that the average employee in your company will be taken in?

Epsilon was breached and thousands or millions of email addresses were taken.  Already some people have reported that they have received “spear-phishing” attacks, where the email appears to have come from a trusted source.

Trust is an earned value.  It takes a long time to get it and an instant to lose it.

If, in the past, we trusted email from Citibank, McKinsey, Best Buy or  Disney and now we cannot (their email address files were all taken from Epsilon), how can we believe any email we get from these sources, even if it is valid?  And, if we cannot trust these sources, why would we trust anyone else?

I expect that many CIOs and CSOs are putting together training packages for all employees that educate about spear-phishing, and emphasize the need to never click on a download button, or fill out a form asking for Personal Identifiable Information (PII). Where does this leave a marketer, who cannot include a newsletter as an attachment, and who will soon recognize that the download button is either stopped by the SPAM filter and is not being used?

Hopefully part of the CSO’s education package will cover how to identify domain names.  A valid domain name is http://www.firealarmmarketing.com/ where the firealarmmarketing.com comes before the second slash.  Anything else is probably a phishing attempt.  So, rather than use a “click-here” or “download” button, email marketers should use (as they did in the past) the URL for what they want the reader to do.  For example, I could say:

To learn more about Epsilon’s data breach see: http://firealarmmarketing.com/2011/04/06/the-lack-of-security-epsilons-data-breach/

(More information about domain names and understanding spammers can be found in this posting: http://www.bustspammers.com/phishing_links.html )

Going forward, fancy graphics and clever links have to give way to re-building trust among readers.  Additional steps that may be required are suggesting that the reader Google your company or brand, or that they type in your URL…which may mean shorter URLs and potentially fewer micro-sites.

Establishing trust is key in any relationship.  The Epsilon breach and its ramifications to email usage by Marketers are significant in that it damages an already tenuous bond.  Those Marketers that can establish and reinforce that trust will be successful.

Have you contemplated how you will change your email campaigns knowing that they may not be opened or that links may not be clicked?

RHM  4/12/2011

On Monday I wrote about the lack of security being the ugly side of social media, and how CMOs are responsible for asking, “Is this safe?”

Last Friday Epsilon, an email marketing firm, disclosed that they had been hacked and that some of their customer’s email addresses had been taken/copied by a person or persons unknown.  You can read a NYT’s update here:  http://www.nytimes.com/2011/04/05/business/05hack.html

This has prompted the impacted companies to send out soothing emails. Thus far I have received three different emails, each trying to assure me that this is a minimum risk and not to be worried…urging, as the credit card company says to “only open emails from us.”  But how do I know it is them? (See the Krebs link below for an example of what the bad guys can do!)

This is the point.  The bad people who stole the email addresses are probably sophisticated enough to construct phishing emails, enticing people to open and click here, enabling the bad guys to both download a keystroke logger and ask you to fill out a fraudulent form, which basically means your machine and probably your bank accounts are toast.

So, CMOs at a slew of companies are trying to answer questions relating to how this happened, what the liability is, the impact on their brand, etc. etc.  I doubt if many of them asked Epsilon about their security procedures when they signed the contract, or had their IT experts review Epsilon’s procedures.  Even if they had, I doubt that such information is going to help them now.

The reality is that security in the Internet and relating to social media is weak, and that events like this will continue to happen.  Knowing this is the case it is imperative for CMOs to proceed with caution and to insist (1) that the vendors they deal with adhere to strict security standards, and (2) that they have a tested disaster recovery/reaction plan in place.

Here are two links that may be useful.  The first is from Brian Krebs where he blogs on how to react to phishing attacks.  The second is from MultiNational Merchant and offers suggestions on how to avoid a data breach.

http://krebsonsecurity.com/2011/04/after-epsilon-avoiding-phishing-scams-malware/?

http://multichannelmerchant.com/crosschannel/lists/prevent-email-security-breach-epsilon-0404tpp3/

RHM  4/5/2011

Many blogs and articles have commented on the changes brought about by the Internet and social media.  Almost universally they are positive, talking about collaboration, telecommuting, unparalleled access to information, etc.  Some of the milder negative comments have been about how we are becoming addicted to our mobile devices and the concern that we are “always on.”

There is some conversation about the ugly side of social media.  One area is cyber bullying; another is cyber warfare and Advanced Persistent Threats (APT).  The most frequent is theft, the theft of money and/or intellectual property.  Some people are blogging and talking about it, but I don’t think anyone is listening.  For example:

Brian Krebs of http://krebsonsecurity.com/ has done an excellent job of identifying and exposing thieves who use the Internet to attack and rob small businesses and municipalities.  If the millions of dollars that have been taken were to occur via an armed robbery, it would be front page news, yet it rarely even gets reported.

Bruce Schneier http://www.schneier.com/blog/ often comments on significant attacks and vulnerabilities.  Overall, he is painting a relatively gloomy picture regarding the vulnerability of the Internet, and out ability to defend against an attack.

Mark Gibbs in Network World weighs in periodically on the risks that companies face: http://www.networkworld.com/columnists/2011/040411-backspin.html?

In the New York Times (John Markoff and David Pogue) publish articles from time-to-time about theft and the loss of intellectual property.

Other blogs that provide needed information are http://socialmediasecurity.com/, which is THE source for information about Facebook privacy (among other subjects) and http://www.tradesecretsblog.info/ which tracks intellectual property losses.

My point is that despite observers and commentators bringing this issue to the fore, millions of dollars of real money are being stolen, valuable intellectual property is being compromised, and no-one seems to notice or care…except for the victims and their insurance companies. I say this because it is not only continuing, but the rate and amounts of each theft are increasing.

Most workers will not knowingly put themselves or their company at risk.  Roofers generally wear safety belts while on a roof, machinists wear eye goggles, air hammer operators wear ear protection and yet users of the Internet are unaware of the risks and often dis-engage built in safety protection.

How does this relate to Marketing?  As CMO you represent the face and voice of the company.  You should be optimizing social media use as part of your marketing mix.  You should be experimenting with new and emerging social media tools.  But in doing so, you should also be asking the vendors, implementers, your IT department and everyone else…is this safe?  What is the probability that this device/system/network will be compromised?  What would be the results if this mobile device was lost and fell into the wrong hands?

As I said in my last post, everyone is a target.  The bad guys will go after the easy, low hanging fruit, and then work up to attack the more difficult.  That they were able to get into RSA illustrates the point.

In making decisions about deploying social media do you know what questions to ask about safety and security?  What will be your response, as the responsible person, when an event happens?

RHM  4/2/2011

Two recent social media blunders, one at Chrysler and the other at Aflac, combined with the serious hack disclosed last week of RSA, caught my attention.  The social media blunders seem to be due to youth, inexperience and ignorance.  The RSA hack seems to be an example of a major league sophisticated attack.

What is going to happen to companies when the two forces, ignorance/inexperience and malicious sophistication combine in the social media sphere?

How does a company defend itself when a competitor steals credentials and posts a damaging comment on twitter or a Facebook page?  What protection does a company have regarding its Intellectual Property (IP) when an agency or an employee is compromised via a social engineering attack?  If someone can break into RSA, how hard do you think it would be for a competitor to get a copy of your promotional plans (or pricing, or customer list, or new product roll out, etc) and launch pre-emptive attacks?

That RSA was breeched reinforces the concept that everyone is a target and the question is not “if” but rather “when.”  As the CMO you have to ask and get answers to the following questions:

• Do all employees and agencies understand the concept and reach of social media?
• Have they been trained as to what is right and wrong?
• Have they been trained regarding social engineering?
• Are their consequences for failing to follow clear guidelines?  (In the Chrysler case the employee lost his job and the agency lost the account.)
• Does IT have the necessary tools and equipment in place to monitor and/or catch failures?
• Is there a response policy in place?  Has it been tested?
• Etc.

All public companies must adhere to the concept of risk mitigation as defined in the revised Sarbanes-Oxley law.  However, social media is moving too fast and the IT auditors generally unaware that the emerging social media exposure can present a material risk to a company.  As the CMO it is your responsibility to bring this issue forward.  Failure to do so, along with not implementing mitigating procedures, carries the risk of significant SEC penalties.

Do you understand the risks?  Is your firm safe?  Do you know how to react when an event occurs?  If you would like a review of your policies, procedures and training, contact us

RHM  3/24/2011

 In Forrester’s article titled “ A Close Look At Cloud Computing Security”  by Chenxi Wang, Ph.D. Wang states “While cloud computing is able to deliver many benefits, organizations should not jump on the “cloud” wagon without a compelling business driver and a clear understanding of the security, privacy, compliance, and legal consequences. An effective assessment strategy covering these items will help you reach the ultimate goal: Make the cloud service work like your own IT security department and find ways to secure and optimize your investments in the cloud.”

Forrester includes data protection, disaster recovery, and identity management as some of the areas under security and suggest that an audit of the potential cloud provider to see what level of security is actually provided.

As for compliance, the user should analyze how the cloud may or may not impact one’s compliance requirements.

For legal and contractual issues, Forrester advises that one understands who owns/is responsible for what, between the user and the provider (the data, the infrastructure, etc.)

Another article by Network World’s Jon Brodkin titled “Gartner: Seven Cloud – Computing Security Risks” he talks about seven security risk areas.

1. Privileged user access, sensitive data processed outside the enterprise.

2. Regulatory compliance, how does the cloud provider match your guidelines?

3. Data location, where exactly is your data housed?

 4. Data segregation, understand that your data is “sitting” next to other’s data

 5. Disaster Recovery, what happens when there is an outage?

6.  Investigating inappropriate or illegal activity may be impossible in cloud computing,

7. Long-term viability, what happens if your provider “goes away”?

Another article in Network World that reported on the RSA conference, and stated that the former technical director of NSA, Brian Snow is very concerned about vendors offering cloud computing from a security point of view. He is concerned about vendors not addressing current security issues and about new issues that cloud computing will create.   Ironically another panelist was concerned about “Big Brother” listening in on cloud computing and how this might impact enterprises’ privacy and compliance issues.

So to wrap up, the internet has security issues, and since cloud computing is in the internet, cloud computing will have those security issues, ones listed above, and ones yet to be discovered. It comes down to the risk profile for your corporation; what level of risk is right for your company relative to investing in cloud computing? Obviously part of the risk assessment depends on your type of company.  If you are a financial advisor or in stock management where your intellectual property is basically the company then cloud computing as we currently know it is not right for you at any cost savings. If you resell ping -pong balls (no offense to ping- pong ball resellers) than the risk is relatively low and the savings from cloud computing outweigh the security and other considerations. 

Have you conducted an adequate risk assessment before deciding to move to cloud computing?

RHL 03/10/10

What is cloud computing? Well right off, there are various and numerous definitions. In the same breath you will hear about, hosted solutions, managed solutions, virtualization, Internet Service Providers (ISP), Software as a Service (SaaS), grid computing, utility computing, security, and platforms, just to name a few.  We will discuss all of these and more in later postings, but first what is most important is seeing if cloud computing is right for you. So in the spirit of simplicity, here are definitions for cloud computing.

First a definition from Wikipedia:  

Cloud computing is Internet- (“cloud-”) based development and use of computer technology (“computing”). In concept, it is a paradigm shift whereby details are abstracted from the users who no longer have need of, expertise in, or control over the technology infrastructure “in the cloud” that supports them. Cloud computing describes a new supplement, consumption and delivery model for IT services based on the Internet, and it typically involves the provision of dynamically scalable and often virtualized resources as a service over the Internet.

Whoa that was clear!  Try this one:

Cloud computing consists of shared computing resources that are virtualized and accessed as a service, through an API.¹ 

 If it is still not clear try this analogy; for people who have a home, and you if do your own lawn care then you might own the following pieces of equipment; a rake,  shovels,  a hoe, hoses, lawn mower, fertilizer spreader, an edger, leaf blower, seed, fertilizer and other variety of tools. Instead of owning all this equipment and taking up the time to maintain your lawn, you can hire someone to do this and therefore pay a fee per application usage, letting the lawn care company provide all the equipment and materials and work. The benefit to you is no cost for the all the equipment; they come when you want them and you only pay if the service is performed to your satisfaction. You can spend that saved time golfing or just reading a few novels.  Now the equivalent for an IT enterprise is they must have servers, cables, infrastructure, routers, switches, a data center, massive power supplies, and software applications to support the various lines of businesses.  Cloud computing is like the lawn care company; all the hardware (except for some form of a terminal), applications and services are in the internet cloud.

Again, the benefits of cloud computing to the enterprise are: scalable, instant access and cost savings.  A little more about the proposed benefits:  Scalable, in the current environment, as your business grows and more people use your systems you will need to add more servers, more connections to support the additional traffic and more infrastructures. This impacts your costs and eventually a limit to the amount of scaling you can actually achieve.  With cloud computing you not only can scale but you only pay for what you are actually using.

Instant access; again in the current environment, applications might not be available or limited to the number of users it can support or not even exist. Cloud computing you can have access to applications you currently use and even new applications.

Costs; your capital expenditures decrease considerably and you are paying on a usage basis, thus you are maximizing on your returns. For small businesses the barrier to entry is greatly reduced and thus one can compete with larger enterprises, by using the same applications.

Now like anything in life, there are pros and cons.  Cloud computing might not be good for every enterprise. One example is, a small or medium enterprise that has an efficient infrastructure might find that cloud computing could be more expensive than the current mode of operation. Another consideration is your installed quality of communication versus the quality of communication services or service level agreement (SLA) that is provided by the cloud provider. Other issues to consider are what type of security and maintenance are being provided by the “cloud”?

Like I have said many times before, first make sure you have a strategy and see if cloud computing supports the strategy.  Key factors in determining if cloud computing is right for you are:  the need for scalability, access to applications, availability of skilled IT resources, security, service level agreements, economics, reliability, and maintenance.

But at the end of the day the real issue is cost; is your cost to run your IT for today and tomorrow less then the potential cost of using the “cloud”?

Next time we will go into the next level of discussion regarding cloud computing.

RHL 2/9/10

1. www.appistry.com

In obtaining this information, the buyer readily gives up some information about himself.  At a minimum, his/her name and email addresses; more detailed information about his/her company, buying intentions and other demographic data if he/she wants a particular white paper or is promised a discount or savings.

This information flows into the Marketing department and usually into an automated Customer Relationship Management (CRM) tool, often under the control of the CMO but maintained by the IT department.

The video below, produced by the ACLU a few years ago, is a tongue-in-cheek representation of what might happen if this information becomes freely available.  However, with data mining tools and loose security it is not too far fetched.

Ordering Pizza in the Future

It is important to note that the EU has an entirely different view of data privacy than the US.  If you work within a multi-national and/or are collecting information about people from outside the US, you need to take added steps to secure this information.

As CMO, are you comfortable that your customer information is secure and cannot slip out of your company?  If not, do you know what steps to take to make it secure?

RHM

11/19/2009