Considering Dumping Your Breached ESP? Don't be an Idiot
By Ken Magill
“E-mail services firm Epsilon will face years of repercussions and up to $225 million in total costs as a result of its recent data breach,” said a press release put out last week by self-described “cyber risk analytics and intelligence company” CyberFactors.
Years of repercussions? Seriously?
Never mind that CyberFactors doesn’t have access to any of the facts necessary to draw such a conclusion. Let’s give the firm the benefit of the doubt and use its announcement as a leaping-off point into a more important discussion.
According to CyberFactors: “Loss of revenue related to customer churn as part of the Epsilon breach fallout could range from $6.1 million if just 1 percent of customers left, to $30.7 million if there were 5 percent churn.”
I have a message for any firm whose executives are considering leaving Epsilon as a result of its recent well-publicized breach: Don’t be an idiot.
While you may think Epsilon has been unacceptably sloppy and should lose your business, in the wake of its data breach, there is probably no ESP more focused on the security of your files than Epsilon.
They are certainly some as focused—Silverpop, which also has had some bad, breach-related publicity, comes to mind—but none are more focused.
If you think this is an Epsilon problem, stop kidding yourself. It’s an industry problem. If you spend the money to move to another ESP, you will have spent your time and money having signed on and integrated with a vendor just as under attack as Epsilon.
Epsilon has simply been one of the unfortunate few that had its breach made public.
Rather than blame Epsilon, you should be working with its executives to do whatever needs to be done to defend against the breaches.
Also, I’ve been hearing of ESPs experiencing pushback from clients who have been asked to perform a few extra security-related steps. I have a message for those clients, as well: Don’t be an idiot.
Anyone who has been in business for any length of time knows that some clients live to abuse vendors. Vendor abuse for the sake of vendor abuse is always inappropriate. On this particular issue, it is wildly inappropriate.
As of this writing there have been no reported Epsilon-breach-related phishing attacks or spam.
Punishing one company for an industry-wide issue that so far has had no discernable effect would be just plain stupid.