IBM Business Partner Makes Programming/Marketing Mistake That Puts Them At Risk

An IBM Business Partner recently made an I am sure we have all made in the past (I know I have). This partner had an agent written to send individual marketing e-mails to potential customers. Now, I am not going to discuss the pros and cons of their sending unsolicited commercial e-mail. Rather, I want to cover the mistake that could potentially backfire on them.

What did this partner do?

The partner did a fine job reviewing their code. The email message generated as it was supposed to: it generated and sent the marketing e-mail. What they forgot to do was to change the agent so that it did not run every 5 minutes. You know, this agent properties tab:



As a result, the same rather large e-mail was sent out at least 17 times (that is how many times I received it). This type of mistake can be costly. So lets start at the beginning, pretending we are in an ideal world.

COBIT Objective AI5 Install and Accredit Systems

"Control over the IT process of installing and accrediting systems that satisfies the business requirement to verify and confirm that the solution is fit for the intended purpose"

5.7 Testing of Changes

"Management should ensure that changes are tested in accordance with the impact and resource assessment in a separate test environment by an independent (from builders) test group before use in the regular operational environment begins. Backout plans should also be developed. Acceptance testing should be carried out in an environment representative of the future operational environment (e.g., similar security, internal controls, workloads, etc.)."

Source: COBIT 3.1

Why Should You Be Interested in This?

Well first off, it is likely that there will be angered customers,the company risks being reported as a spammer, and they might lose potential customers. This could result in lost revenue, loss of existing customers, loss of business reputation, the loss of their ability to send e-mail because of blacklisting, and in a worse case scenario legal sanctions resulting from lawsuits.

Lessons Learned

I will quote from an e-mail I received from the company president:

"Thanks for your feedback.  This was not a code error, rather a stupid human (me) error and was not intentional.  The wrong group was chosen and the agent was not changed from every 5 minutes to once. I am very sorry for the mistake.  This is not how we do business and I am sure it will not help us to get business.  I assure you that I have learned to program mail agents quite well.  What I need to learn is how to pay attention to my setup."

Yes, this individual learned a painful lesson, as I did last year when I made a similar mistake. The key is to focus on a strong internal control process when processing high risk activities. The question is how does a company balance the risks* of mistakes vs. the cost of implementing sound controls? That is a lengthy discussion for another day. If you are a small firm (or even a one-person shop), develop a standard "To Do" checklist for things such as agents and agent properties. And then use it each and every time. That way when you approach a potential customer, you can say with confidence that you "eat your own dog food".

You can read more about COBIT at the Information Systems Audit and Control Association website.

Now I promised not to out them by name as a courtesy. So even if you know who it is, please do the same!.

*Risks - The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets. The impact or relative severity of the risk is proportional too the business value of the loss/damage and to the estimated frequency of the threat (from Guidelines for the Management of IT Security published by the International Organization for Standardization (ISO)).

Copyright 2004 by The Cayuga Group, LLC. All Rights Reserved.