Epsilon, ESPs, the Cloud and You
While the IT industry is in many ways moving toward an outsourced model, with the widespread adoption of the cloud and XaaS, marketing has been moving in a similar direction as well. And while PR agencies have been around for quite some time and it has been normal to look to outside agencies for help with creatives, over the past several years a new kind of service provider, the Email Service Provider, or ESP, has emerged from the shadows. Not to be mistaken for cloud-based email security services, ESPs are in the business of sending mass email (typically opt-in), not blocking it. Unfortunately, for many, their first exposure to these companies (outside of an inbox full of enticing offers) has been via news around data breaches, first, in 2010 with Silverpop and now Epsilon.
Epsilon, based in Irving, Texas, claims 2500 customers, 2200 associates and 25 offices across the world, sending over 40 billion email messages a year. While relatively unknown outside of certain circles, clearly Epsilon is a mover and a shaker with wide reach and impact.
How wide? Many in the office here are claiming that they have already gotten mail from various companies, in some cases multiple companies, telling them of the breach. Email databases from more than 50 organizations have been compromised. For those wanting to drill down, cauce.org claims to have lists, which are available here.
Silverpop, while a much smaller ESP than Epsilon, with about 100 customers, had big names like a major fast food chain and popular automobile manufacturers, with about 5 million end users from the car folks alone being impacted. Smaller, but still a big deal.
So, where is this taking us?
It isn’t entirely clear. So far we have not seen an increase in spear phishing attacks. When and if we later see an uptick in spear phishing it may or may not have anything to do with Epsilon. However, with events at RSA, as well as the recent $8 million Moby Dick of spear phishing at Conde Nast, it is clear that covering the basics here is clearly a win, both with technology and user education. DLP is another area organizations will want to explore in light of these events.
In a more general sense, trust is a fundamental concern. Each of those 50 firms impacted by Epsilon will have to email their entire database of names and tell everyone how their third-party mail service got hacked and how their mail account (and possibly more information as well) was compromised. They are all going to take a hit and it isn’t going to be pretty. I feel for the guy who is working at a bank who has to explain that even though they were unable to keep your email address safe that you should not worry about the money. I am glad I am not the guy who has to explain to customers that although their email info was breached that they should trust me with their credit card info.
This opens up a bigger question about trust. When a customer shares data, such as an email address, with a company, they usually do so because they trust the company. Indeed, when a person does business with a company, they usually do so because they trust that company.
With outsourcing, the customer is placed in the often unwitting position of having to (perhaps unknowingly and involuntarily) trust a company that they have never heard of. Sure, they knew and trusted the companies in question, but in most cases they are unlikely to have heard of Epsilon or to have made any decision about trusting them. The primary contact made that choice for the customer and probably had some mention of “third parties” in a terms and conditions clickthru. The end user, or end customer, however, did not make that choice.
Which brings us to the cloud, or perhaps The Cloud. Sure, you may be happy dealing with your vendor, who you like, but do you trust their cloud-based CRM service to keep you safe? Do you trust your vendor’s vendors? CRM, ERP and other systems are moving more and more to XaaS, cloud and outsourced models. In a recent Twitter conversation on the topic of cloud services, someone threw out the concept that when you talk to some vendors about cloud services that it’s “turtles all the way down.” Except it isn’t. Eventually you run out of turtles and clouds. Eventually you have servers in a datacenter and the servers belong to someone and the data center belongs to someone and someone provides the infrastructure and security that keeps it all running.
Some things to consider:
- Have you already alerted all of your employees to be on the alert for phishing attempts trying to get them to change their passwords via links in email?
- Have you taken this opportunity to revisit password security with your employees?
- When talking to “cloud” vendors, it is mistaken to assume that the cloud works on some sort of blackbox magic. Drill down and find out about their data center(s) and what is being done to both secure and back up your data.
- When using cloud or XaaS services, consider periodic backups of your data on some sort of physical media that you control.
- A chain is only as strong as its weakest link – ask questions about what your vendors and outsourcing suppliers are doing.
- Everyone fails at some point, but watch carefully how failure is handled. Is it handled with transparent humility with a detailed explanation of how failure will be avoided in the future or does the vendor try to cover up or sweep things under the rug? A vendor who shoots straight with you and make credible promises to improve may be worth sticking with. One who tries to tell you that everything is ok when it very obviously isn’t may not be.