Risk vs. Reward of ESPs

Since the end of March, the biggest buzz among email service providers and their clients has been the Epsilon security breach. There has been plenty written about it by people far closer to it than I, but there is an aspect to this from an ESP customer standpoint that I have not seen discussed.

Loss of data through email service providers is just a single facet of what is going on. In today’s world, consumers expect to be able to access and update their profiles online, in real time. They expect to be able to shop, track shipments, book flights, hotels, and car rental, perform bank transactions, and receive real-time email notifications for it all.

These activities require web-based interfaces to backend databases containing personal information. In addition, the integration of different vendors and systems requires the implementation of web-services’ APIs. Think of these as web interfaces for computers to speak to each other directly.

When I started working in the IT sector at the end of the 1980s, attitudes to data security were enormously different to today. At that time, no enterprise would even consider making their house database accessible over a public network. The mere suggestion of it would have been seen as a serious error of judgment. It was well-understood that the only truly secure computer system was one that had been switched off and placed in a safe and that convenience and security are antagonists.

In part, this may have been because I was working in the United Kingdom for a phone company that still remembered being part of the government, but I also believe attitudes have changed. Twenty years, and the growth of the commercial Internet has had a profound impact on customer expectations, which in turn have impacted how companies do business.

Real-time integration requires real-time access to data. Private networks, or even virtual private networks (VPNs), are too cumbersome, time-consuming, and costly to set up for all these integration points, and so the public Internet (the cloud) is used. This makes some amazing functionality possible, but it also involves removing some longstanding safeguards for personal data.

The result is that the amount of data that is accessible over the Internet has been rising year-on-year. Almost every request for proposal (RFP) that I see today includes not only web-based access to personal data but also API-based access. The requirement to be able to retrieve and update subscriber lists, demographic, preference, and behavioral data at the click of a mouse is commonplace.

So what’s the point of this history lesson? An email marketer that chooses to use an ESP is a consumer of cloud-based services. Such services have substantial business benefit. The ability to utilize incredibly powerful systems and software though a highly cost-effective service model is enormously valuable. However, such services also come with some security risks.

I am not providing a checklist of things to do or steps to take to protect your data. Understanding your security risk is far more complex and far too important to leave to a brief checklist in an online article.

What I do want to make clear though is that the question is not limited to whether your service provider has good security. Security has to be end-to-end. Your own systems are an important link in the chain and the requirements you place on your providers can substantially impact your overall exposure.

Though we often focus on system security, attacks are made against people as much as against systems. That’s both your provider’s people and your own. Unfortunately, people can be gullible, forgetful, fallible, and deceitful. Even the best can be caught out.

While this is perhaps the largest and certainly the most public breach yet, it is not the first and will be far from the last. For as long as there have been things of value there have been people trying to steal them. The result is that there is, and will always be, risk. The key is to understand what level of risk you’re taking for what business benefit and to decide if that risk/benefit calculation is right for your organization. If it isn’t, you may need to make changes not just to providers and systems, but to the business processes driving them.

Related reading

Flat business devices communication with cloud services isolated on the light blue background.
Vector illustration with a magnifying glass focusing on a pie chart, a graph line trending upwards, and other metrics symbols.