Outsourcing email: Do the benefits outweigh the risks?

Outsourcing email: Do the benefits outweigh the risks?

Summary: Sure it's easier to outsource your email marketing to a third-party company. But is it really worth the risk?

SHARE:

On March 30, the email marketing company Epsilon was hacked. It's too soon to tell how widespread the exposure is. Right now, Epsilon has said that the customer lists of a number of major brands have been compromised.

Epsilon claims that no personal information other than names and email addresses were revealed. Being a naturally suspicious person, I think I would rather wait for the other shoe to drop before breathing a sigh of relief--as well as keeping an eye out for targeted phishing scams.

I just received an email from Tivo:

Dear TiVo Customer,

Today we were informed by our email service provider that your email address was exposed due to unauthorized access of their system. Our email service provider deploys emails on our behalf to customers who have opted into email-based communications from us.

We were advised by our email service provider that the information that was obtained was limited to first name and/or email addresses only. Your service and any other personally identifiable information were not at risk and remain secure.

Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.

We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

If you have unsubscribed in the past, there is no need to unsubscribe again. Your preferences will remain in place.

Sincerely, The TiVo Team

I think it's great that the companies whose marketing lists were hit notified their customers. However, this is April 2, and the intrusion at Epsilon happened 3 days ago. In internet time, that's pretty much a lifetime. Stolen information could have circled the globe a dozen times by that point. Epsilon themselves took 2 days to put out the press release; perhaps they notified the customers earlier, but it's a moot point.

This situation points out a glaring fault in the outsourcing of your email marketing to a third party company. Putting aside for a moment that there are plenty of email marketing firms out there that don't play nice or by the rules (i.e., spammers), there's also the issue of corporate security and responsibility.

When something like this happens, people usually get fired. But if your company outsources the email to a third-party, does your company make someone internally a scapegoat and fire them, even though the intrusion didn't happen on your own network? Do you take it out on the people that chose to outsource? Or on the ones responsible for choosing that specific email provider.

Obviously, after a situation like this heads do roll. And quite often it's through no fault of your internal employees or the external marketing company. Sometimes you just can't stop a dedicated, persistent hacker.

If the marketing company did their due diligence and secured their network as well as possible, you can't blame them--unless, of course, your contract with them states that they owe you damages if they are unable to keep your information secure.

If you don't want to hear excused about shifted blame, take the responsibility for your own data and host the email within your company. It's not that hard to host your own mailing lists. And it doesn't take as many resources as you might think. Applications like ListServ and Majordomo have been around for years and can handle millions of messages per day.

Maybe it's time for big companies with large IT departments to rethink outsourcing some of their critical customer data and bring it back in house. At least then if you get compromised you can blame yourself, instead of worrying about your data being handled by strangers.

Topics: Enterprise Software, CXO, Collaboration, Data Centers, Legal, Outsourcing, IT Employment

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

45 comments
Log in or register to join the discussion
  • So the answer is No, then?

    I'd go along with that. In the Epsilon case, they have claimed that no actual email messages were taken. How would they know, and how plausible is that? I don't believe it.
    The real question email users should ask themselves is: "How would I like all of my emails to be made public", because that is what the risk is.
    peter_erskine@...
    • "How plausible is that?"

      @peter_erskine@...

      How plausible is it that an e-mail marketing company, which is the kind of company that sends out e-mail marketing campaigns for customers, not the kind of company that hosts e-mail services for customers, didn't expose any hosted e-mail? It's 100% plausible.

      The nonsense behind this post is clear, right from the cheesy pirate graphic. "The cloud is not secure" is the battle cry of desperate IT people trying scare tactics instead of adding real value to their companies. The truth is most private e-mail systems are not any more secure.

      This kind of diatribe is like the outraged parent who wants to ban "dangerous" children's toys, yet drives their kid around in a car where the kid is probably 10,000 times more likely to get injured.

      I wish tech bloggers would write long scathing blog posts every time a private e-mail system is hacked somewhere in the world, and warn of the dangers of privately-hosted e-mail. They would probably never have room for any other kinds of posts.
      RationalGuy
      • You're an expert on web security then?

        @RationalGuy

        The web IS NOT and never has been secure. When multiple companies start putting all their eggs in the same basket they paint a big target on that basket.

        When companies host their own email they reduce the target size. If Tivo and Walmart and a hundred other companies host with Acme Email and Acme Email is hacked, then *every* company was hacked.

        If they don't, and Tivo gets hacked the other 100+ companies *are not*.

        This is security 101 RationalGuy. Security is a multi-layer process, and redundancy (defense in layers) is the only way.

        Keeping targets scattered so one shot can't take them out is basic security doctrine. So is having multiple layers of security.

        The web is not secure. It never can be. Especially when you gather all your targets in one place...
        wolf_z
      • RE: Outsourcing email: Do the benefits outweigh the risks?

        @wolf_z
        <i>The web IS NOT and never has been secure.</i>
        Neither is the "private" side of your corporate firewall. But your security "expert" likes to pretend that it is.

        <i>When companies host their own email they reduce the target size. If Tivo and Walmart and a hundred other companies host with Acme Email and Acme Email is hacked, then *every* company was hacked.</i>
        This, of course, is true only if your cloud service provider is incredibly stupid. If you sign up for hosted e-mail and you don't have written assurances that your cloud-hosted systems aren't physically and logically separated from the other customers' systems, without common root access, then you are simply bad at your job. If your due diligence begins and ends with the "Compare Our Plans" table on the service provider's website, you deserve what you get.

        These ideas are all implicit in your statements, and they are all nonsense:
        - All private networks are risk-free.
        - All cloud service networks are fraught with unimaginable risk.
        - A compromise of any part of a cloud service instantly means that the entirety of the cloud has been compromised.
        - The network that "I" control is more secure than the network "they" control.
        - Implementing any security tactic is always better than not implementing it, regardless of overall security strategy.
        RationalGuy
      • RE: Outsourcing email: Do the benefits outweigh the risks?

        @RationalGuy ... The "cloud" is meaningless as the only thing it designates is a server/s in one location. That's not new and it's not any different than they have ever been w/r to security or reliability. It's a moronic hype name to try to talk people into centralizing their data all in once place, and out of the hands of the owners.
        tom@...
      • RE: Outsourcing email: Do the benefits outweigh the risks?

        @tom@...

        Cloud services typically involve virtualized hardware with the ability to dynamically assign computing power to a cluster in response to demand, as well as geographically diverse infrastructures with synchronized data for business continuance and performance.

        It's actually about de-centralizing data physically, while centralizing it logically in the cloud.
        RationalGuy
      • You all missed the boat... Including you Scott...

        Would you subscribe to a phone service if you knew the employees of your phone company would be listening to every call you made?

        Email is obviously a form of communication, and for business, it generally contains some very sensitive information that you do not want anyone (especially your competitors) looking at.

        As a former employee of a mail provider, I can tell you that almost all the employees read the customers private emails (personal experience and war stories with friends who worked for other providers). And the good ones (emails) get passed around the office.

        Needless to say, I would never outdource my email, not for all the tea in China. I don't understand why anyone would (let alone a company) if you rely on secure and confidential communication, not just from hackers, but from the prying eyes of strangers.

        This is a no brainer and is why the "cloud" fails. If people are going to have access to your level 1 data, then you are better protected if they work for you. If you let another company have access to that data, then you have no clue as to who is looking at it, when they are looking at it, what they can do with it, and who they can sell it to. The cloud fails, miserably.
        i8thecat
    • RE: Outsourcing email: Do the benefits outweigh the risks?

      @peter_erskine@... You are absolutely correct: E-mail is NOT private! Go to Google and look for your emaiil address; you could be pretty surprised. <br> Anytime you pass data through as many as 30 nodes/machines, that's 30+opportunities to grab it if they're sniffing for you by keywords, etc.. If you're not using good encryption, then it's pretty easy to get at your mails anywhere along the route including the first & last servers. <br> Anyone using e-mail for confidential or higher data transmission/discussions is asking for trouble eventually. <br> E-mails aren't even transitory as some pages on websites are: They're sent or posted and then they live most likely in each servers archive for a long, long time, even thru server changeouts. <br> Never use media that passes thru the public domain, being web site or e-mail. And especially never put an email address in the clear in a mail.<br> Encryption can help, depending on how determined the perp is. And no, ROT-13 is NOT encryption.
      tom@...
  • Avoid risk at all costs

    If you fire everybody in your place who ever makes a mistake, you will soon have a company in which no one ever tries anything new. Your company will also be condemned to repeating the same mistakes, since everyone who could have learned from them was fired.
    Robert Hahn
    • RE: Outsourcing email: Do the benefits outweigh the risks?

      @Robert Hahn It is, however, an unfortunate aspect of the disposable workforce that has developed in this country. For a situation like this, the IT person in charge of setting up the outsourced email service would get the ax, while the executive that made the decision to outsource because he read about it in a trade magazine will get a fat bonus.
      Scott Raymond
      • RE: Outsourcing email: Do the benefits outweigh the risks?

        @Scott Raymond <br>This is way you should outsourced it yourself without telling your boss. Spend the the saved money on developing new skill for yourself and be glad you dont have to manage that dam email server.
        Past_Prime_Nerd
    • RE: Outsourcing email: Do the benefits outweigh the risks?

      @Robert Hahn
      Or workers will stop reporting mistakes. Most managers will never know if you've been hacked if you don't tell them.
      Past_Prime_Nerd
      • RE: Outsourcing email: Do the benefits outweigh the risks?

        @Past_Prime_Nerd Most managers don't ever want to hear bad news, so not telling them is the surest path to career advancement. By the time the bad news becomes all too painfully obvious to the pointy-haired boss, you'll be out of there, and he won't remember you were ever there, so he'll just fire whoever is standing nearest the problem at the time he hears of it. Like maybe the poor slob who actually told him the bad news to begin with. Typical Corporate American Management at its finest!
        thetwonkey
    • Yes! Mistakes are part of the IT training budget

      @Robert Hahn These kinds of critical mistakes are the most costly, yet effective, form of IT training available. You certainly want to avoid them. But if you incur the cost, who do you want to gain the benefits? Your own company or the next one that the person who made the mistake lands at?
      RationalGuy
    • RE: Outsourcing email: Do the benefits outweigh the risks?

      @Robert Hahn

      This is not really as bad as you make it. You would not lack for innovation if you terminate every employee that makes a mistake... You would lack for employees.....
      Freddy McGriff
  • Dont get it...

    Out sourcing email and services (and the risk) comes with the territory. It's about focusing on things that are most important to the business. Employing IT people instead of outsourcing can be wasteful.
    jessiethe3rd
    • RE: Outsourcing email: Do the benefits outweigh the risks?

      @jessiethe3rd

      And how wasteful will the lawsuits be? Or the damage to the company's reputation? Or the secrets stolen?

      What if this hadn't been marketing? What if this had been an Enterprise-grade version of Gmail? It would have made the HBGary hack a world wide phenomenon.

      Sounds pretty wasteful to me! IT is not wasteful...
      wolf_z
      • RE: Outsourcing email: Do the benefits outweigh the risks?

        @wolf_z Enterprise Grade Version of gmail is an oxymoron.
        Your Non Advocate
      • You're worse than the 11 o'clock news with your lame scare tactics

        @wolf_z

        So all cloud-service engagements end in lawsuits, damaged reputations and stolen secrets? No privately-hosted e-mail system was ever compromised leading to these things?

        Here's the thing:
        Your company is not better at security than Google is.

        To concoct some ridiculous doomsday fantasy, and then say "that sounds pretty wasteful" is just a self-serving lie.
        RationalGuy
      • RE: Outsourcing email: Do the benefits outweigh the risks?

        @RationalGuy [i]Your company is not better at security than Google is.[/i]

        Very true. But at least here, I know who to blame. And I wouldn't have to wait 3 years for the lawsuit to finish up. The Axe would fall immediately. How exactly do I get a hold of that Google engineer that was reading e-mails?
        Badgered