After operating my own business for 10-plus years I often get asked by new entreprenuers starting out what things I think are most important to someone starting up a new business.
1. Focus on your craft, but become an expert at sales. When I started I thought that I needed to be the best I could be at what we do (information security, privacy, risk management) and how we do it (project management, professional services management). I have found over the years though that if you don't understand the sales process and excel as a participant in it you can lose sales to firms that don't know the craft as well as you and you can miss customer expectations. Truly every project begins with sales.
2. Find a good lawyer. Find a good accountant. I have had a good accountant almost from day one, John Davidson (no relation, really) from Kyles Hill. John's taught me a lot about the financial side of business, sat beside me in negotiations as our CFO and given me a different perpsective that has helped me and Jacadis grow. We have had good legal work done but no attorney has given us th depth of the effort that John brought us on the accounting side. That, I believe, was a weakness in our formative years.
3. Take the time to write a simple business plan. Spend your time searching for a good simple business plan outline. Take the time to work through it. Focus on the directional issues. Why does your business exist? What does it do? Why do people need it? Who are your customers? Where do you find them? What do you need to do your work successfully? Can your idea scale? What do you need to scale? A solid business plan can be written in a weekend. Don't put it on the shelf. I pull ours out every quarter to check our direction. Sometimes I adjust the plan with input from senior staff. Sometimes I adjust the work effort or activities. Regardless we make course corrections every quarter because the plan is a living guide for who we are, what we do and who we serve.
4. Design the business with security and privacy in mind. Really. We run our businesses off the fuel of information. Too often we have seen small businesses fail or struggle because they have lost the confidentiality of key information, lost access to key information or found that it became contaiminated and unusable. Larger businesses can absorb more damage. Many of them by virture of their size have these covered. Small businesses can't absorb much damage. In the rush to focus on sales and craft many entrepreneurs forget the basics and leave their networks open to the outside, key customer data exposed or simply opt to save a few bucks and not back up their information. There are stories in the news regularly about business failures that were planning failures because business starters didn't think about security and privacy at startup.
With so much focus these days on data privacy and individual identities much of the conversation within the security community and from the security community to the business community skips over other critical information types that need to be protected.
This is a list of information that you should also work to protect:
1. Information about your systems and networks. When I backpack I don't do very well if I have to go off trail and I don't have a map. The same is true for someone trying to break into your information systems. If you fail to protect the information describing your systems and networks (network maps, configuration files, etc.) then you may just be providing a map to someone who wants to explore your network and find more valuable information. Are you making your network an outside explorers paradise?
2. Your company's secret sauce. You may not have a secret sauce made of "11 herbs and spices". Or your business may not depend on the mysteries of an ancient chinese secret (Remember the Calgon commercials?) but all of us in small business have our secret sauces. For Jacadis, it is the unique way we deliver many of our services. For a printing client of mine, it is the unique steps that they have created to protect confidential data transmitted to them from larger customers. That process has helped them win business because other printers aren't doing it. Years ago we did work for a company that made a unique material used in the florist business. They were the only company in the world that could produce the material at quantity and had factories world wide that did it. Their key asset was the chemical formula and process to produce that material. Are you protecting your secret sauces?
3. Work. Think of the endless hours that you spent putting together that killer sales presentation. Should it be corrupted or removed from your computer you’ll have to redo the work. The same is true for data entry, etc. The work itself might not be “secret” but should you lose it you’ll really be losing time and value. As I sit here typing most of my work is electronic collections of media (words, video, slide presentations, papers, articles, Secure-Value, jacadis.com). For your business your work may be many other things. My sales team would tell me that their biggest collection of work is the information they have on clients. A friend of mine has a laser cutting business. Unique programs are written to consistently and repeatedly cut 3D designs into different materials. These programs are his work. Another friend has a much lower tech manufacturing business, an old sand mold foundary. His forms and molds breaking means he has to redo them just as my more high tech laser cutting friend would have to do should those laser programs get lost or corrupted. In the end the loss of work means the loss of time or information. You'll have to invest time to recreate the information. In some cases you may not be able to recreate it. Are you protecting your work?
4. Personal information about your executives, leaders and key employees. Again, to explore something you need a map. To attack a target you need a map. Freely and without thought sharing personal information on your executives, leaders and key employees may just be providing a map. This is a tricky subject though. I won't do business with a company if I can't see some information about its ownership. Most people do business with people so a company that completely hides the details of their key players doesn't earn my trust. Likewise, though, a firm that freely shares contact information, addresses, personal information, etc. about its members opens itself up. On a simple level, executive emails sprinkled all over a web site invite spam. On a more complicated level, in some businesses, travel plans and other locational information improperly shared invites more nefarious attacks. Are you protecting your key people? Are you protecting all of your people?
5. Personal, though non-protected, information about your customers and prospects. Again, protect the map. Customer lists, detailed information about your customer's pains and challenges, and the other sort of information that fuels a personal realationship between your business and your clients should be protected regardless of whether or not the informaiton is consdiered private, confidential or in some way protected by law or regulation. Protecting your customers information promotes trust. Are you promoting trust with your customers?
What types of information that must be protected did I miss?
We had a unique call come in yesterday, one I wish we had more of, but we don't.
A small business owner with a brokerage of sorts wanted to develop a website that would allow the producers and the buyers to post information, in some cases highly personal information, review non-confidential subsets of the data about the other and keep the whole thing secured from the outside.
She asked if we could help and provide "small business pricing quotes."
In fact, I don't think many security firms get those calls.
Most of our calls are after the fact either after the app or system has been developed or just after it has been breached.
She called us asking questions because she didn't have any answers. I think that approach serves us well in many endeavors.
We can help her. We offered to help her develop a list of functions and safeguards she needed in her application, help her manage the procurement process and then to test the application for security before she accepted it from her developer.
In 10 years of business that was a first.
Most web applications, particularly web applications are built with out much thought to information security, customer privacy or regulations covering the information.
Truthfully no application is 100% secure. But an application that has been designed and developed with careful consideration for its information security, user privacy and regulatory requirements stands a great defensive chance once it has been launched. Testing that application before launch further raises the defensive posture. Regular testing and a proper operational routine after it has been released to production even further raises that posture.
Again, our experience has been that most businesses, particularly small business, design and develop applications, release them to production and then through some event realize that security is a concern. There is a breach or a break-in. The site is knocked off line by a denial of service attack and revenue streams are interrupted. The invoice from the payment card processor is higher than they want to pay and they find it is because of non-compliance with PCI. And so on.
This occurs because two things don’t happen up front:
Security just isn’t talked about as part of the deisgn process. It must be!
An assumption is made that developer and hosting providers on the project will handle security. In most cases they won’t unless you demand it of them and back the demand up with contracts and tests.
Here is a list of non-technical questions you need to consider as part of your design conversation. Getting technical on some of these issues may require a member of your IT staff or an outside consultant. But any small business owner should be able to answer these questions if they are trying to build a business using technology:
What is the sensitivity of the data on our planned site? Is it regulated data?
Who regulates the information or audience that uses our site? What are your obligations to protect it? What are your obligations to maintain user privacy? Does your privacy policy match that obligation? Will the site be developed with the guidance of a privacy policy?
How long can the site be offline before it negatively impacts our business? When will customers usually visit the site to transact business? If we are off line an hour of peak traffic time how much revenue will we lose? Profit?
What do our customer’s expect from us in regard to protecting their privacy?
Will you have user forums or accounts on the site? How will you verify those signed up are really customers? Or really people?! Does that matter? Will you allow any and all comments in your forums? Do you need to edit them or block them?
How does the developer ensure the web application is secure? The database?
How does the hosting provider help secure your application? How will you know they are doing their job?
You then need to make sure that your development partner builds the site to meet the requirements these questions should raise to the surface.
That site must be deployed in a technical environment that is at minimum protected by:
Proper and verified operating system and application hardening procedures
Separation of the development (where you’ll continue to create and innovate as well as test) and production
We then recommend you test the site against your requirements to make sure they were met (best to do that before that last check goes to the developer!). We also suggest you conduct a vulnerability scan against the site to make sure that it wasn’t developed with technical weaknesses a hacker could use to create havoc for you.
And then finally we recommend that you, as a matter of routine, continue running those tests to make sure the sight maintains the secure posture you paid for in the first place.
Jacadis helps businesses prepare and respond to security questionnaires and audit requests from their usually larger customers. We also are the audit and assessment team for some firms who choose to use external resources to review their key vendors' security.
Frankly, as breaches Epsilon isn't a big of deal. No protected information, just names and email addresses were taken. And more sophisticated attacks have come and gone in the press largely unnoticed.
Epsilon has received more attention than the more impactful breaches in part because it touched so many people. Non techies are talking about it. We believe that buzz is going to find its way into the executive suites and audit teams of big companies and boost the rigor and frequency with which larger firms test, prod, and assess their supply partners.
Experts suggest that companies that outsource technology services take some of the following steps:
Make sure the vendor has a recognized certification for information security, such as ISO 27001 or SAS 70 Type 2, granted by an accredited auditing organization such as the International Standards Organization;
Sign agreements that oblige vendors to undergo regular audits by third parties, at least annually. Auditors should test software (especially software that can be accessed via the Internet) and hardware as well as people, to ensure that vendors’ employees themselves don’t fall prey to scams;
Make sure vendors assume liability for breaches that affect customers and end users; and
Make contingency plans with the vendor so that neither is caught by surprise in the event of a security breach.
Management consultants and corporate governance experts are providing similar advice to their Fortune 2000 and similarly sized customers. These recommendations have been around for several years, however, the buzz from Epsilon has the potential to fuel the recommendations to reality.
This will impact you if you answer yes to any of the questions below:
Your business is part of the supply or services chain for larger regulated firms. We see most of the third party verification activity from firms that have regulatory obligations to HIPAA; PCI, GLBA or other financial privacy rules, or Sarbanes-Oxley. We have seen these type of firms apply the highest security and privacy standards to their vendors even if their vendors don’t process confidential or protected information. Do you provide services to these types of firms?
Your business provides a service that includes considerably volatile information. If, for instance, you process non-protected personal information but it is somehow seen as critical to your client’s business or it’s relationship with its customers this might apply. Or, if, for another instance, you process company confidential information such as trade secret related information. Do you provide services to these types of firms?
Firms in the supply chain stack. You may not be doing business with a regulated firm, but you may be providing services to firms that provide goods or services to firms that provide services to regulated businesses. You know what they say about it rolling downhill. Are you at the bottom of a supply chain?
Take action
If you answered yes to any of those questions we suggest the following:
1. Look at your customer agreements with firms in the categories above.
Do any of those agreements place obligations on your company to protect your client’s information in a certain way?
Do they have the right to audit?
Have you told your IT team about these obligations?
Are you prepared to meet these obligations?
2. Sit down with your technical leadership and discuss:
Are we secure? Vulnerable? Do we follow a best practices approach to information security? Which one?
Do we routinely check through tests, assessments, and/or audits our answers to the questions above?
If we got an auditing letter from an existing customer would we be ready for the audit in a week? a month? 3 months?
When the auditor arrives do we have documentation that defines our security programs values (policies), details the routines we follow to meet those values (processes), shows that those routines are being followed (logs, action reports, scorecards, etc.) and that our staff is aware of their obligations (awareness training)?
If we committed during the sales process with a new customer to do certain things to secure their data did IT and the others in the company responsible for delivering on that obligation have a hand in the answer? Are we overcommitting?
Are we managing security well enough that we can create a competitive advantage over other firms in our class? Can we use that advantage to build new business?
If your business provides business to regulated businesses upstream in your market we recommend you keep asking these questions until you feel comfortable with the answers.
Have you read or heard the news about the enormous hack at Epsilon which touts itself as the World's Largest Permission Based Email Marketing Services Company. The hack affects a long list of major brands and probably includes some companies that you use.
If you paid attention to the reports then you've heard that no credit card accounts or social security numbers were taken just millions and millions of email addresses and in some cases full names.
First, the amount of FUD (fear, uncertainty and doubt) included in sales and marketing messages from your technology vendors will increase. With each and every spectacular hack in the market FUD changes and morph to include the new event as a reason to "BUY NOW!" even as we see daily if the product in question doesn't safeguard against that kind of hack. Be an informed buyer, particularly of items as critical as security technologies.
Second, this large scale hack will catch the attention not just of the security and audit teams at these firms but in the corporate suites as well resulting in greater attention to third party verification and vendor assurance programs. The list of companies affected include a host of major brands. I've worked with small businesses that provide services to some of these firms. We've helped these small businesses prepare their environments to meet vendor qualification requirements and we've helped these firms prepare for audits by the larger firms' audit departments as part of contracturally required vendor audits. If your firm provides services that depend on confidential data from these firms or others with a similar profile be prepared to attend to a heightened audit process.
Third, the information stolen could be used to send targeted attacks to the customers of Epsilon's clients and that might put you at risk in two ways:
Targeted phishing attacks that look like legitimate messages from any of these companies are likely to be in our future. Know how to protect yourself from phishing attacks which Jacadis partner SOPHOS neatly outlines.
Accounts that depend on your email address might be at risk. Better safe than sorry. I would suggest you change your passwords on those accounts and make sure they are strong passwords.
What impacts to business and personal security do you think will be the aftermath of the Epsilon hack? What fears do you have about how it impacts your business or yourself?
Does your business process customer data? Show your business to business customers that your firm handles their information in a secure fashion and you may win new business.
Jacadis works with emerging firms (those in start up mode or those in high growth arcs) that suddenly find themselves with information security and privacy concerns. Usually, they have been so focused on building business features and functions that security has been an afterthought. Customers raise concerns about how information is handled, many times because the customer is regulated and is expecting our client to properly handle their data. By the time Jacadis gets involved these concerns are creating barriers to new markets or have become minimum requirements to win new business or retain existing business.
Our mantra is that if you can show yourcustomers, particularly your regulated business-to-business customers you operate in a manner that you can be trusted you have the potential to create competitive advantage and win new business.
And it is true.
Yesterday, we got word from a client that our efforts in implementing a security program for them had translated into a higher level trusted relationship with a key client AND a new $200,000 order. The joy the sales manager had in telling me reminded me of the excitement my 8-year old has when he comes home from a great day at school.
Being secure does create competitive advantage.
Do you have those same concerns?
One tool we used was QualysGuard. We used it to measure the vulnerabilities (fancy security jargon word meaning weaknesses) to attack that their technical infrastructure. We used it initially to create a prioritized list of corrective steps for our client to take and now use it to maintain the current security levels and show the client's customers they are attending to security properly.
This post is a quick note for those of you who serve children online as
audience members of your websites, either intentionally or unintentionally.
The FTC announced an
extension of the public comment period for COPPA Rule Review until July 12,
2010. If you are familiar with COPPA you may want to take this
short window to comment; if you aren’t, and include minors under 13 in your
online communities you may want to take the time to familiarize yourself with
COPPA.
For those that don't know COPPA, it is the Children's Online Privacy
Protection Act of 1998, a US federal law.
According to the FTC web site:
Congress enacted the Children’s Online Privacy Protection Act (COPPA), 15
U.S.C. §§ 6501-6508, in 1998. COPPA contains a requirement that the Federal
Trade Commission (FTC or Commission) issue and enforce a rule concerning
children’s online privacy, which the Commission did in 1999. The Children’s
Online Privacy Protection Rule, 16 C.F.R. Part 312, became effective on April
21, 2000.
Under the act “operators covered by the Rule must:
Post a clear and comprehensive privacy policy on their
website describing their information practices for children’s personal
information;
Provide direct notice to parents and obtain verifiable
parental consent, with limited exceptions, before collecting personal
information from children;
Give parents the choice of consenting to the operator’s
collection and internal use of a child’s information, but prohibiting the
operator from disclosing that information to third parties;
Provide parents access to their child’s personal
information to review and/or have the information deleted;
Give parents the opportunity to prevent further use or
online collection of a child’s personal information;
Maintain the confidentiality, security, and integrity
of information they collect from children.
In addition, the Rule prohibits
operators from conditioning a child’s participation in an online activity on
the child’s providing more information than is reasonably necessary to participate
in that activity.
Though we've touched on COPPA in the field when we've worked on assessments and governance formation within the higher education sector, I've not had much direct field experience with COPPA. Here are some articles online that helped me understand it, its implementation and limitations:
COPA vs. COPPA and the U.S. Supreme Court (January 29th, 2009) by Steven Leung. Leung quotes n FTC press release that says that “there is potential for
age falsification on general audience websites, as well as liability
under COPPA, should these sites obtain actual knowledge that they are
collecting, using, or disclosing personal information from children
online.”
As a parent with 3 boys 13 or under this was an interesting topic.
As a risk management perspective I recommend that you consider whether you have any exposure to children that age group using your online properties. If you do, you'll want to plan on how you can reduce your risk in regard to COPPA.
The Federal Trade Commission (FTC) announced yesterday Twitter's settlement against charges that Twitter "deceived consumers and put their privacy at risk by failing to safeguard their personal information."
In a non-technical pedestrian manner David Vladeck, Director of the FTC’s Bureau of Consumer Protection boils it down in this quote on the FTC site:
“When a company promises consumers that their personal information is secure, it must live up to that promise. Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations."
Twitter was hacked twice, once in January, 2009 and again that same year in April. And during that time period Twitter's privacy policy stated that:
"Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.”
Twitter had borrowed some of the language from another firm's privacy statement (how did your privacy statement get written?).
The FTC acted under Section 5 of the FTC Act which gives them the power to hold firms accountable for "unfair and deceptive" practices. The deception here is that Twitter publicly proclaimed it did something that in fact it did not do.
There were no monetary fines levied. According to legal friends of mine this is due to the fact that Section 5 of the FTC Act does not grant the FTC the power to levy fines or penalties.
Again, according to the FTC:
"...Twitter was vulnerable to these attacks because it failed to prevent unauthorized administrative control of its system, including reasonable steps to:
require employees to use hard-to-guess administrative passwords that they did not use for other programs, websites, or networks;
prohibit employees from storing administrative passwords in plain text within their personal e-mail accounts;
suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts;
provide an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
enforce periodic changes of administrative passwords, for example, by setting them to expire every 90 days;
restrict access to administrative controls to employees whose jobs required it; and
impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.
Under the terms of the settlement, Twitter will be barred for 20 years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers. The company also must establish and maintain a comprehensive information security program, which will be assessed by an independent auditor every other year for 10 years."
Again, according to my legal friends that means that Twitter is now in a spot that should they fail to fulfill their part of the settlement the FTC may find them in contempt of the settlement which then would permit the FTC to levy fines and penalties.
There is plenty of debate in the security blogosphere discussing whether or not the FTC "went too far" or was legislating by regulation.
For me the important element of the case is the lesson for other growing and emerging businesses.
Twitter has grown more rapidly than they could have known when they started up. As the subscriber based sky rocketed, however, the start up culture that is more feature focused than formal process focused carried onward. One of the hacks was because a dictionary word, easily guessed, was used to protect an executives Google Applications account. A dictionary-based password can be guessed easily especially if you know the person who owns it. Strong passwords are the foundation of information security. If a company isn't using strong passwords we question their commitment to security. Ultimately that lack of commitment is what got them.
Here are some lessons to consider:
Start security and privacy planning with business and application planning and design from the beginning. That is particularly true if your key processes involve confidential, consumer or protected information. The cost of doing security later will be much higher because you'll have to re-engineer. Metaphorically it is similar to adding a basement after your house is built.
Likewise, include information security, privacy and trust considerations in your culture early on. Technology, difficult and expensive to re-engineer, is easy in comparison to restructuring a company's culture. You can operate securely and create a loose modern team oriented culture. Focus on the customer trust issue as a rallying point rather than the constraints you feel security places on you.
Plan for your future value from the get go. Twitter's apparent laissez faire attitude toward information security and privacy earned them a 20 year dance with the FTC. It also puts a mark of toxicity on their value. If I had the money laying around to purchase Twitter would the potential of an historical lapse in security or the potential for one in the future, either of which would spawn a contempt finding and financial penalties, give me pause or give me leverage to reduce my offering price? Understand now how a breach or poorly architecture might impact your future value and work with that in mind.
Don't cut and paste privacy statements or other statements of values or customer trust from other sites and call them your own. Get an attorney or a privacy professional or both engaged in your developing your privacy policy. That policy is a sign of trust for your customer now. But poorly executed it could be a weapon used against you in the future. And as you work on developing that policy remember it is a legal and technical document and not a marketing brochure.
Finally, don't say things you don't mean or that you can't back up. Be honest. That should be true in all your business dealings as a start up or emerging firm. Customers purchase trust.
Have you built security into your culture and technology from the start? Working on it now?
Social media security and risk management is a business and communication policy issue NOT a technical issue. Assign responsibility to a business leader and not IT or information security staff.
This week at the Gartner Group's Security and Risk Management Summit, Gartner research
director Andrew Walls dropped a contrary statement on the heads of the information security and risk management employees in his workshop. Summarized (from reports on his presentation available on the Internet) he asserted that:
Information security professionals worried about malware, phishing, and information leakage who try to take control or block social media use by employees are treading into water that is similar to monitoring employee's home use of the telephone.
The malware, phishing and other attacks against the social media front are the same attacks that we see against email. Logically, if we are going to block social media why are we not considering blocking email? (NOTE: Because we need it to run and grow our businesses).
At the root of concerns about social media are concerns about its drain on employee productivity. Employee productivity is not a charter concern for information security. It is a management issue.
While the information security and risk management blogosphere lights up with arguments about whether Andrew Walls is on target or off his rocker I wanted to bring the discussion into the realm of the entrepreneur and emerging business management professionals.
I think Walls is dead on.
Too many times I see a communications topic or business process topic turned into a technical topic because it involves technologies unfamiliar to the business manager.
Twitter, Facebook, twits, followers, friends, fans, Zemanta, wiki, widgets .... and so on sounds technical and something the CIO, IT manager or that smart young kid on the help desk should be working on.
But if I boiled it down to communications channels (Twitter, Facebook, LinkedIn, etc.), conversations (twits, posts, etc.) and customers (followers, friends, fans) you could have the conversation. And you'd want to have the conversation if not control it altogether.
Though Walls' message was to information security and risk management professionals managers and leaders in the small and emerging business space need to get it. The decision about social media is a business decision not a technical or a security decision.
Here are some questions for discussion to help guide you in making that decision:
What conversations are appropriate for employees to be having with customers, prospects and the market in general online?
What topics are out of bounds?
What information is considered secret, private and confidential?
What information is regulated by government entities? How does that play into your social media policy (e.g. a doctor's office that allows friend connections from patients may be violating HIPAA)?
Can employees identify themselves as an employee of the firm?
Does that identification obligate them to certain behaviors? If they don't identify themselves as an employee does that expand their freedom?
How do you handle breaches of these policies?
What else concerns you about social media?
Document your answers into a policy statement. Formally share that statement with your employees. Assign ownership of the policy based on which business unit makes the most sense (IT to monitor use on the company network, HR to manage discipline of violations, marketing or IT to monitor your brands exposure in online conversations, IT or information security to manage endpoint controls that help protect against malware, etc.)
And then use social media to run and grow your business.
Faced with vocal and public customer complaints how would you respond if you were jeopardizing customer privacy? Faced with customer silence on the topic would you change your practices if you knew you were jeopardizing customer privacy?
After consumer outcry that created a press and blogosphere frenzy, Facebook announced changes to its privacy stance this week. As summarized by Facebook the changes include: ... three things: a single control for your content, more
powerful controls for your basic information and an easy control to turn
off all applications.
I am not going to spend words here detailing the changes or commenting on their validity or effectiveness or advise you on a next action to take. That's for another posting.
I wonder how my business would respond? many of my customers? you?
Now granted I wouldn't expect to be in the mess that Facebook created for themselves. Would you?
But set aside the crazy viral success Facebook has had and the company is not any different than mine or yours. Mark Zuckerberg's challenges are bigger, certainly, but not that much different than every other business out there.
Do something people want to buy. Sell it to them. Deliver it at less cost than you take in. Enjoy the profit. Innovate to make sure you still do something people want to buy.
Somewhere along that continuum Facebook decided that to innovate and monetize they needed to expose more users information.
(NOTE: They've claimed the privacy settings prior to this latest round of "fixes" was not motivated on making more money. Facebook needs to make money. They've officially said that the privacy changes (the one's before these settings) that exposed their customer base were not money motivated. But you have to wonder. You have to think that every day they wonder how they are going to monetize this great creature they've created. I'm skeptical but willing to give them the benefit of the doubt that it wasn't directly a driver, but improving product happens because companies must innovate to continue customer relationships which drives monetization .)
Facebook, without consulting customers (who are us the users or their advertisers? just asking.), made chnages to the settings that expose me and my friends, you and your friends and so on.
And your business may be in the same boat. You need to innovate. You need to improve service, add more value, etc. And someone in your company comes up with a great idea to innovate your business. A bar decides to put patron photos on its Facebook page. A doctor decides to move scheduling online. And so on. You implement without thinking the implications all the way through. Or checking with your customers.
These innovations expose customer privacy. I'm supposed to be at work but I am at your bar. My wife sees my appointment online for my bum shoulder which I've told her is healed (honey, Valley has a game this weekend and they need me, the shoulder is fine! Think I'm playing Rugby after that?).
Our problems are smaller than Mark Zuckerberg's and Facebooks. And our mistakes don't invite the commentary of privacy organizations, the public ire of our customers and the attention of government regulators (ok, for most of us never, for some mostly never).
The mistake was public and the publicity forced a change. So Facebook had the "advantage" of being called to task publicly and being given an opportunity to fix the problem.
In my smaller world .. in your smaller world .... mistakes that get made aren't going to get that kind of attention. They just might, in fact, go unnoticed. But they might impact individual customers in a similar fashion. In fact, some small business privacy mistakes might impact your customer (really, the shoulder is fine!) more than Facebook's would.
If you caught your mistake and your customer's didn't produce an outcry would you care? would you change?
Have you invested the time to think through how your practices might expose customer information? Perhaps innovations you have made .... to outsource processes, to automate transactions and ordering, to tailor marketing campaigns, to lower costs ... to solve that critical problem that is between you and more profit ... created a privacy exposure for your customers.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=f60fa149-32bb-421e-8f79-7e7cd29ed158)
