Using an ESP has many benefits, such as the ability to utilize incredibly powerful systems and software. But such services also come with some security risks.
Since the end of March, the biggest buzz among email service providers and their clients has been the Epsilon security breach. There has been plenty written about it by people far closer to it than I, but there is an aspect to this from an ESP customer standpoint that I have not seen discussed.
Loss of data through email service providers is just a single facet of what is going on. In today's world, consumers expect to be able to access and update their profiles online, in real time. They expect to be able to shop, track shipments, book flights, hotels, and car rental, perform bank transactions, and receive real-time email notifications for it all.
These activities require web-based interfaces to backend databases containing personal information. In addition, the integration of different vendors and systems requires the implementation of web-services' APIs. Think of these as web interfaces for computers to speak to each other directly.
When I started working in the IT sector at the end of the 1980s, attitudes to data security were enormously different to today. At that time, no enterprise would even consider making their house database accessible over a public network. The mere suggestion of it would have been seen as a serious error of judgment. It was well-understood that the only truly secure computer system was one that had been switched off and placed in a safe and that convenience and security are antagonists.
In part, this may have been because I was working in the United Kingdom for a phone company that still remembered being part of the government, but I also believe attitudes have changed. Twenty years, and the growth of the commercial Internet has had a profound impact on customer expectations, which in turn have impacted how companies do business.
Real-time integration requires real-time access to data. Private networks, or even virtual private networks (VPNs), are too cumbersome, time-consuming, and costly to set up for all these integration points, and so the public Internet (the cloud) is used. This makes some amazing functionality possible, but it also involves removing some longstanding safeguards for personal data.
The result is that the amount of data that is accessible over the Internet has been rising year-on-year. Almost every request for proposal (RFP) that I see today includes not only web-based access to personal data but also API-based access. The requirement to be able to retrieve and update subscriber lists, demographic, preference, and behavioral data at the click of a mouse is commonplace.
So what's the point of this history lesson? An email marketer that chooses to use an ESP is a consumer of cloud-based services. Such services have substantial business benefit. The ability to utilize incredibly powerful systems and software though a highly cost-effective service model is enormously valuable. However, such services also come with some security risks.
I am not providing a checklist of things to do or steps to take to protect your data. Understanding your security risk is far more complex and far too important to leave to a brief checklist in an online article.
What I do want to make clear though is that the question is not limited to whether your service provider has good security. Security has to be end-to-end. Your own systems are an important link in the chain and the requirements you place on your providers can substantially impact your overall exposure.
Though we often focus on system security, attacks are made against people as much as against systems. That's both your provider's people and your own. Unfortunately, people can be gullible, forgetful, fallible, and deceitful. Even the best can be caught out.
While this is perhaps the largest and certainly the most public breach yet, it is not the first and will be far from the last. For as long as there have been things of value there have been people trying to steal them. The result is that there is, and will always be, risk. The key is to understand what level of risk you're taking for what business benefit and to decide if that risk/benefit calculation is right for your organization. If it isn't, you may need to make changes not just to providers and systems, but to the business processes driving them.
Learn Digital Marketing Insights From Leading Brands!
ClickZ Live Chicago (Nov 3-6) will deliver over 50 sessions across 4 days and 10 individual tracks, including Data-Driven Marketing, Social, Mobile, Display, Search and Email. Check out the full agenda, or register and attend one of the best ClickZ events yet!
Derek Harding is the CEO and founder of Innovyx Inc., a member of the Omnicom Group and the first e-mail service provider to be wholly owned by a full-service marketing agency. A British expatriate living in Seattle, WA, Derek is a technologist by background who has been working in online marketing on both sides of the Atlantic for the last 10 years.
Hong Kong, October 21-22
London, November 13-14
San Francisco, November 13-14
London, November 18-19
IBM Social Analytics: The Science Behind Social Media Marketing
80% of internet users say they prefer to connect with brands via Facebook. 65% of social media users say they use it to learn more about brands, products and services. Learn about how to find more about customers' attitudes, preferences and buying habits from what they say on social media channels.
An Introduction to Marketing Attribution: Selecting the Right Model for Search, Display & Social Advertising
If you're considering implementing a marketing attribution model to measure and optimize your programs, this paper is a great introduction. It also includes real-life tips from marketers who have successfully implemented attribution in their organizations.
October 23, 2014
1:00pm ET/10:00am PT