In our hyper-security world, it is great to see a little
humour. There is, of course truth in every joke and this
cartoon represents a very "real" security issue.
Best practices would suggest a security strategy that minimizes
logons while maintaining security standards - single sign-on with
an encrypted connection is one strategy. For many
applications, the ultimate objective is to have a single portal
serving up a range of functions on an integrated platform - and an
integrated security process with one sign-on!
As technology has evolved, so have consumers' concerns
surrounding the use of their personal data. Not only are they leery
of providing information, consumers also are leery of who uses
their personalized data and for what purposes. Marketers can ease
their customers' concerns by taking precautions, especially
surrounding their online marketing efforts. Here are a few tips to
think about when creating a personalized URL (PURL) campaign:
Define and Assess Security Risks of the Web Site:
In the planning stages you should define and assess the potential
security issues with your marketing campaign to minimize their
impact. If the Web site includes sensitive data, consider creating
a threat model to identify the risks and possible vulnerabilities.
The analysis assists the development team in its Web site
Take Complete Stock of the Web
Site: Information security is not just about preventing
theft or damage. It also includes ensuring your Web site is
available, fast enough, complying with legal and regulatory
requirements, providing accurate information, preventing release of
confidential information to unauthorized users and inappropriate
use, protecting your users, and providing the ability to analyze
and learn from incidents.
Password Protection: Consider using a unique
four-digit number when creating the PURL string. This keeps
recipients from accidentally or purposely viewing another
individual's site. For example, you may have several individuals in
your mail file with the same first initial and last name, so in
this case you'd have to use a number to identify each (JSmith1,
JSmith2, JSmith3 …). If JSmith2 was inclined, he could access
JSmith1's PURL. It's better to assign a random multiple-digit
number to each PURL so your recipients can't crack your code. Some
marketers use separate passwords included in the marketing offers
with the PURLs so recipients can securely access their sites.
Test Before and After Rollout: All projects must
include structured testing. Security testing involves checking what
is not allowed on the site as well as the intended functionality.
This requires thinking outside of the box to foresee any potential
obstacles. You should proof PURL sites before a marketing campaign
deploys as well as after.
Monitor Your Reports: Review your data collection
reports often to identify abnormal behavior and how these problems
occurred. Problems with capturing information can skew your results
and possibly prevent a future marketing campaign. It's also a good
idea to protect the reports from alteration. In some instances,
we've seen recipients of PURLs pass their personalized landing page
information to friends, who then access and use the recipients'
identities to fill out the pages. This wreaks havoc on your
reports. You may want to consider locking each PURL so the
recipient cannot change her name, and instead provide her with the
option to refer the friend so he gets his own