One of the main topics for discussion at last week’s OTA Forum in Washington D.C. was the rash of security breaches targeting ESPs over the past year. We heard a lot from concerned brands and service providers about the nature of the threats, and the measures they can take to representatives of government on breach reporting and other regulatory remedies. I’m sure this will be a major topic of discussion at MAAWG this week in Paris as well.
Some industry organizations, such as the OTA and ESPC, have issued best practice guidelines to help enterprises and ESPs better protect their systems and data assets. And ESPs have begun to put competitive differences aside in comparing notes on common threats and challenges. Notable too is the consumer education initiative, “Why Your Browser Matters,” launched last month by the major browser providers (Google, Microsoft, Mozilla and Opera) and supported by various industry groups and major brands.
Yet, despite these positive indicators, I believe any casual observer of our industry would conclude that our response to this ‘clear and present danger’ has been uneven, fragmented at best. There’s been much alarmist talk, hand wringing and chest thumping, but little definitive action. As marketers, we persist in the belief that security is someone else’s problem and seem content to bury our heads in sand hoping against hope that the bad guys will pass us by.
To me, this is lunacy. When you examine the nature of the threat posed by spear phishing and its ramifications for our trust relationships, I think you’ll conclude as I have that this is a survival issue for our discipline and medium, regardless of where we fit in the ecosystem. Marketers must become be the biggest proponents of security and its most vocal champions.
And this brings me the point of this post. Ever since the Epsilon breach earlier this year, there’s been much lively discussion within the marketing community on the best way forward to more secure messaging. My friend Dela Quist from Alchemy Worx has proposed a tsunami warning system or a ‘threat clearinghouse’ through which all members of the community would openly share news of breaches or suspected malicious activity. While such a system is definitely needed, realistically I’m not convinced the infrastructure is in place to quickly get a functioning system into place.
What I do think we can do in the near term, however, is to raise awareness in the industry, help it shake off the collective complacency and rally it to action. Because the reality is that the bad guys won’t pass us by if we’ve got the data they want or can provide access to someone who does. These guys are smart, they know how the email and online marketing ecosystems work. Heck, they’re using our own tactics against us. They prosper at our expense; thrive on our inaction and fragmented response.
Toward this end, Message Systems has just issued a new white paper on how enterprises and ESPs can safeguard their message streams from a technology standpoint. We know that security isn’t just a technology issue, but believe that the ‘right’ messaging technology framework is required to make best use of the guidelines issued by the OTA, ESPC and others. What we’ve tried to do in this paper is repurpose what we’ve learned in helping ISPs and carriers counter similar threats to the challenges now facing enterprises and ESPs. Our motivation is to spark industry dialogue on how to best respond to the threat we collectively face.
So I’d encourage you to read the white paper: Safeguarding Message Streams for Enterprises and Email Service Providers. And let’s keep the discussion going. We’d love to hear from you in the comments. Where do you think we need to go from here? We can’t change the reality of 2011 being the ‘Year of the Breach.’ But what we can do is make 2012 the ‘Year of Safe & Secure Messaging.’