Network Solutions and The Security Breach: Are We Missing a Wake-Up Call?

It’s taken me a bit of time to write this article. I’ve been trying to figure out the best way to express my concern for all of us without it sounding like I’m belittling the concerns of those affected by this unfortunate event.

Then I realized – that pretty much says it. Please take the sentiments that will follow in that context.

Before we go any further, I want to repeat the disclosure I made in the article I wrote on Tuesday. I serve  on Network Solutions’ Social Web Advisory Board. It’s necessary to state that because my relationship with them may bias my opinion under certain circumstances. This is not one of those instances.

(And if you know me, you probably realize that it won’t stop me from saying what’s on my mind any way. Most likely to my detriment, my opinion can’t be swayed for less than $2 million, and my integrity is not for sale, ever. )

All joking aside though (about the $2 million, not my integrity. I like to joke that I have a price but it’s more like $20 million, if I have one), this article is my perspective on several things that surrounded the recent breach of security at Network Solutions. I have three.

1. The overly harsh and at times, inaccurate press that occurred when the story broke. I expect that from mainstream media, not online.
2. The fact that what I saw as the most important part of the story was rarely, if ever discussed, although it’s far more important. Instead the often incorrect story that was in the press cast the company in a pretty dark light, given that Network Solutions did everything we have been asking big companies to do when these things happen.
3. Since NS (I’m tired of writing out Network Solutions!) did what they were supposed to do, why were there such harsh reactions to what happened?

Let’s start with the stories. I was on vacation when it broke, so I didn’t get to provide any input on how to manage coverage before it hit the press. In fact, it was reading about NS from my Google Alerts and seeing them start to pop in more frequently than usual that I realized something had happened. And I saw stories saying that NS “puts 570,000+ customer credit cards at risk” which while technically true makes it sound like NS was negligent in some way.

As I do with all stories I see about a company that deals with ecommerce or the web on any level, I went to several stories to get a fuller picture of what had happened. From skimming various headlines it sounded like NS had done something wrong and intentionally. Rather than  having discovering and reporting a crime had likely been committed, it sounded from the coverage like they had committed one.

Meaning, that’s the type of headline you expect to see when a company finds out something happens, covers it up and pretends that nothing happened, knowing there are no negative connotations to them sweeping it under the rug. For something like this you’d expect to see more coverage that described accurately what happened, like, “Network Solutions warns merchants after hack“.

Sure, the headline isn’t as sexy, but at least I’ll continue to trust that organizations news. I’m just as much a fan of a grabby headline as the next marketer, but hype for the sake of hype is worse than a boring headline. At least an informative one is honest.

The reason it concerns me so much isn’t that the affected company is Network Solutions.

It may seem so, but if you follow that logic to its conclusion, you’d see that someone in my position wants to work with the companies that need help, or my company doesn’t exist. One could argue that if they didn’t have issues like this come up, they might not need a Social Web Advisory Board, and then they wouldn’t need me – who would that help? Not me.

Every help desk employee secretly loves Microsoft.

My concern is that the way in which this affects all of us was mentioned, let alone addressed, in very few stories. In fact, I spent the better part of yesterday and today trying to find a few articles that did, and had to go through hundreds of them just to find a handful.

We’ll come back to that. First I want to give some examples of what NS did right. I’m sure you’ll be able to recall many, many instances in which otherwise successful companies have swept incidents under the rug instead of acting on information that might affect their clients.

Yet in this case, Network Solutions did what we now believe companies should do:

• Discovered something that could hurt a sub-set of their clients
• Reported it to their clients (albeit after a delay that I personally thought was too long)
• Despite being an extremely powerful company that could easily get away with not being accountable, they stepped up to the plate and took the public beating like a champ. Every time a blog post popped up, you saw Shashi and his team responding.
• At no point did they attempt to have the story spun in their favor – they took it on the chin, even though they were completely compliant with the expected security measures needed, and in fact, did more than they were required to by law, both before and after the breach to address the issue.
• Created support avenues for those affected to recover as well as possible.

Of course, I subscribe to the philosophy most vigorously posited by Chris Rock that you shouldn’t get a cookie for doing something that you’re supposed to do. And that’s what we as consumers feel companies are supposed to do when a mistake happens reagardless of fault.

However, in reading comments on some of the news stories I read, i saw really appalling comments about the incident that made me think the people reading them read the headlines and nothing else.

If that’s how the public reacts when companies do the right thing, what’s their incentive for continuing to do so? I’m not saying that NS is going to hide hack attempts in the future. I’m saying that other big companies are watching these things happen and their number crunchers are including these reactions in whether the cost of doing the right thing is worth it in the long run.

Sad but true.

We have the power to influence those decisions, and we should.

But okay, I got that sermon off my chest. What’s really under my skin? What’s really the super-big deal about this story that I believe most reporters missed?

As I pointed out, NS did everything they were supposed to do. They were compliant with all the necessary security measures and as I understand it, took additional precautions as well.

So if they were compliant, how did a company with their resources get hacked? Probably because the hackers have gotten much smarter than the technology put in place to stop them from breaching our security. And if it happened to Network Solutions, then what can those of us with fewer resources do to protect ourselves?

I don’t store any credit card information of any of my clients, in fact, I do my  best not to ever come into contact with it. If you buy something from me, your card gets verified in the most secure fashion available, and processed, but not stored. Then you get your product or service. So I’m not touching information as sensitive as a credit card until my company is so big, we can’t help it.

But sometimes email addresses, sensitive company information, even trade secrets, come across my desk, and I have occasion to give mine to other people. And being a former help desk computer nerd (still a nerd, just not on the help desk), I go through levels of securing that information that border on the paranoid.

I’m sure you do at least what is necessary to keep yourself out of trouble. But what if that isn’t enough? What if the most secure precautions we can take are not enough.

It wasn’t enough for Network Solutions.

The very thought was a huge wake-up call to me.

And after several weeks of research, I don’t have the answers to that. But here are three articles I think you should read if you share the same concerns as I do and want to find those answers.

Two are about the issues surrounding PCI Compliance and proposed resolutions to the PCI debate. One is about the best practices of dealing with this type of crisis, should you find yourself in a similar position. We all hope we won’t, but it’s a smart move to know exactly what Network Solutions did right, just in case.