A few months back I wrote a post about online/web security. More recently, I posted about ‘app fatigue’, discussing how current software [apps, CMS (websites), and a lot of other things development methodologies and market pressures are having a negative impact on the quality of the software being developed and, by extension, product security.
I am writing about these topics not as a developer or someone selling you an alternative, but as a marketer and business person concerned about what I have seen as a growing pattern in the industry, particularly around attitudes in certain business segments concerning the importance of the data they are pushing online.
One place this has come to light again is in marketing and public relations. I have heard from dozens of developers, development shops, and marketers themselves, that marketing and PR sites rarely have any sensitive data, so security is not their number one concern. Rather, ease of use and customer experience are the most important factors for them, as well as the ability for Google to crawl the site.
At what point in the Web’s evolution did we choose to give up security for ease of use and customer experience? This mentality comes from people only knowing how a site should look, feel, and perform when visited, but not fully understanding the back-end technology and the tradeoffs certain technologies and programming languages have versus others’ alternatives. I firmly believe these tradeoffs don’t need to happen.
I don’t like to call out any one platform versus another, but clearly certain platforms have been breached far more often than others. Those platforms mainly place blame on the user, often saying the user did not update to the latest version and that’s why he or she was hacked. Or that it was a plugin that was out of date. To me, this is like an auto company saying you did not maintain your car, and that’s why it blew up and killed everyone riding in it.
Back to marketing sites. To illustrate how important security is for any site, we should look at the recent hack of PR sites. Many marketers or PR professionals write press releases or other content that will be released to the public at some point in the near future. In the Fortune 500 organizations I have worked in, we would have PR releases parked and ready to be published a week to ten days before public release. Having such material parked on a site’s back-end or in the web publishing platform, waiting for approvals or to auto-publish at a particular time and day, means this vital information could be exposed if the site is hacked. This is where the information becomes much more valuable. This is clearly illustrated in a recent hack where a group hit numerous corporate marketing and PR sites, reading content before it was released to the public, and then used that information to trade stocks in those companies prior to the rest of the market having access to the same information. The hackers profited to the tune of over $100 million.
A fall programming schedule, a show being canceled, a key talent leaving a news program: on the surface they seem to have minor value, but aggregated across competitors one could build a picture across an industry to predict future success or lack thereof. Having this information before the general market can be very valuable.
This brings me back to my previous posts on security, platforms, partners, and software development methodologies. As marketers and business people involved with making the decisions about what platforms and technologies our companies will deploy, its very important to go deeper than “it’s what others are using” or “everyone in publishing likes using it”. Sometimes, small inconveniences or minor tradeoffs can provide better long-term results, especially when it comes to online technologies and security.
For more on the press release hacking incident read these links: