Have you heard of Epsilon, the marketing firm? Well, if you haven’t you can probably expect to hear about them soon. One of the many services Epsilon offers is the management of emailing services for many large corporations. Personally, I didn’t know much about Epsilon until I started getting emails from firms as diverse as Best Buy and McKinsey. Apparently, these firms (and many others) use Epsilon’s emailing services; during the last week, there was a security breach at Epsilon, which exposed client data. All the emails, and the articles I’ve read, agree that the breach did not reveal any “secure” data, just your email address. No reason for panic, but can we learn anything from this incident that will help us deal with the coming wave of Cloud based services?
Wait… YOU! That’s right, YOU… way in the back! Did I see an inappropriate grin, a smirk, a certain air of superiority? OK, it is hard to pass up pointing at Epsilon and saying, “I told you so!” You let an outside group run some part of a service, and there you go… security breach. Your firm’s name in the papers, which is the start of every nightmare you’ve ever discussed with legal, compliance, corporate security, etc. Even though this does seem to genuinely be harmless, you might get some calls from a client, or clients might be curious about other services that have access to your data. Providing some access to your data is a big part of working in the Cloud. It may still be your data, but it will not (always) be on your servers and your facilities. Since each service probably only gets to see a small sliver of your data, your exposure is smaller (probably) than if you had a breach of your own. On the other hand, because these services concentrate client information from many large firms in one place, each exposure will impact a lot of firms. Furthermore, these services may have contractual agreements… if not with you, then with other clients… about when (and how) they will provide information on a breach, including how they contact the press.
This is where it gets interesting. If you contract with an external electronic service (call it the Cloud or call it something else), then you will probably demand a formal escalation process and a review/audit of their systems to know if: each type of breach has been properly defined, the vendor is aware of each breach (how?), if the vendor can determine when/if their network is probed or attacked, etc. If you still perform the same service internally, or back when you did, did you have this sort of formal process to identify, escalate and report a security breach? Unless you belong to your IT department’s email group, would you know about every possible email breach? To take a related example, your IT department probably informs you when there is a wide area outage of their systems… because of a virus, a downed server, or a failed piece of networking equipment. But you wouldn’t wouldn’t get a call if just one PC, somewhere in your firm, crashes. Probably not if two crashed. However, if 500 PC’s crashed at exactly the same moment, you would probably hear about it. What is the threshold, for each type of outage for you to be informed? Alternatively, consider when a presentation center, a corporate library, or a single secretary sends a very important document to the wrong fax, email or other address. Does your firm track how often this happens and has everyone been trained how to respond?
This can be tricky. We can expect more and more of these breaches as big firms migrate further into the Cloud, but it’s hard to say what that means. It may be that more breaches are being reported, in contrast to more breaches actually happening. The Epsilon is breach, however benign, is a good wake up call to think about how your firm currently defines and reports n breaches… and what sort of policies you would want to see if you used a Cloud service. That something to think about, and it’s my Niccolls worth for today!