Thoughts on Cyber Security

We hear a lot about cyber security today. The recent breach of Target’s “Point of Sale” system for credit and debit card transactions is one big example that comes to mind. The fact is that cyber security is something that should concern everyone, from businesses, to government entities, to individual citizens. Small businesses, not just big companies, are at risk of being targeted. At iConstituent, we have learned important lessons about cyber security and how small companies can manage their cyber security risk. We have hired some of the best security experts we could find and made substantial upgrades in our security infrastructure to protect our company’s assets and our customers’ information. Most importantly, we have learned that nobody can guarantee they are absolutely secure, and even small companies need to invest in being as secure as possible.

What can I impart to others who run small companies? A lot. Here is some advice:

First, recognize that cyber security is not just an IT issue. For one thing, the consequences of a cyber attack can be so severe that they demand management’s attention: when the company’s finances, customers, or reputation might be on the line, management must own the problem and the risk.

Management must also lead because the solution to cyber risk is not just an IT solution: managing risk requires the whole company to work together. Management must make decisions about how to allocate resources and must set policies for the company. Human Resources needs to train employees, and employees need to act in a secure way on the company’s network. Legal has to make sure the company has the right insurance and protections in place. Communications supports sending important information to customers and other third parties. The company’s cyber security efforts are only as good as the weakest link, and the solution requires a team effort, so management has to lead and make sure the whole company is committed to cyber security. As CEO of iConstituent, I am ultimately the person accountable for our cyber security and for making strategic decisions about how we manage our risk. It’s the only way this works. So, where to begin?

The second piece of advice is to set priorities. Cyber security can become a big, tangled, never-ending problem if you let it. If you try to protect everything, you will protect everything inadequately, and you may soak up endless budget doing it. This is especially challenging for small companies. Instead, decide what matters most: what information and assets are most critical to protect, and how are we going to protect them? Convene your management team to talk about this, and solicit input from employees across the company, too; these questions may seem like they have obvious answers, but you will be surprised by the different answers you might get, many of which may be different and more accurate than you first thought.

Third, to keep focused on those priorities, it is important to have a plan. For a small company, a 12-month plan helps you plan your budget and set goals that are achievable in a reasonable timeframe. While planning is important, flexibility is, too: cyber security is dynamic, is never “finished,” and requires constant change and effort; so, as you measure progress against the plan each month, be prepared to adjust course as circumstances demand.

As a small company, a helping hand can be important, which brings me to my fourth suggestion: smart outsourcing can be an effective way to cover the basics of technology and staff support to monitor and protect your networks, without the expense of building your own complete, in-house security program. One useful element is a Managed Security Service Provider (MSSP), which can help prevent or mitigate a breach. Other third parties can help you limit your risk if an incident happens. Cyber risk insurance is one example. Of course, the devil is in the details, and you have to be careful about the specifics when outsourcing to reduce risk, for example checking the insurance policy for the right coverage and reasonable premiums. Outsourcing has many benefits for small companies that do not have the size or budget to build their own, in-house cyber security program. But, it is critical to keep in mind that while you can outsource many functions, you cannot outsource ultimate responsibility for your company’s cyber security: the management team needs to oversee the whole program and tie the various pieces together.

Fifth and finally, it is essential to prepare for the worst-case scenario: a successful breach that puts your company’s customers, finances, or reputation on the line. Even the best laid security plans can succumb to an attack, so make sure you have an incident response plan, and practice it together as a management team: do a drill to test the key elements of the plan and make sure each person knows their responsibilities and what to do in a crisis.

Cyber security is a dynamic, challenging problem. Staying secure is especially hard for small companies that have fewer resources and less time to prevent and prepare for attacks. But, it is essential to do your best to keep your company’s network and customers’ information secure.  I hope these tips, learned through our small company’s own experiences with cyber security, are helpful to you and help you start down the road of improving your company’s cyber security. Remember: just like running a small business, cyber security is a never-finished job, and the journey is as important as the destination. Good luck!

It’s been a long road.

Zain and Gregory doing the commute....

Zain and Gregory doing the commute from LAX to DCA in the early days….

It feels like yesterday when we formed iConstituent in a small garage. But, its been nearly 12 years now. Fortunately for us, two of the founders of iConstituent had an empty garage in Anaheim, California. So, we used it until their parents kicked us out. After that, we moved to an industrial garage near Disneyland. The new garage space had no heating or air conditioning.

Those garage days have long since gone and we have had plenty of ups and downs since that time, but we persevered because we believed that government would look for efficient ways to connect with people – and we were excited about the tremendous opportunities that lay ahead.

Our first paying customer took us many months to obtain. After dozens of meetings and countless drives to Los Angeles City Hall, we finally signed former Los Angeles Mayor James Hahn. He used our product (an eNewsletter that tracked basic results and that provided some essential metrics) to help promote Los Angeles area restaurants after 9/11, and the results were outstanding. It worked and thousands of people received and read his message. How much did it cost the City of Los Angeles? $250. Inexplicably, he never used the service again. According to his staff, it was too expensive.

Disappointment never stopped us. We continued to forge ahead, believing that it was not a question of “if” government would adopt newer technologies  to communicate with constituents, but “when.” We were right.  In 2004, our little company began to grow.

Today, iConstituent is at the forefront of citizen engagement. What made us great nearly 12 years ago is still in our DNA today: we are, first and foremost, entrepreneurs and innovators. These two elements have been key to our overall growth. It’s true that some of our ideas flopped along the way (remember Virtual Town Halls, BuzzMetrics and MyCongress?), but we had the courage to try.

Not the garage anymore, but a real office (circa 2005)

Not the garage anymore, but a real office. (iConstituent, circa 2005)

After our acquisition of InterAmerica Technologies  in 2010, our business changed overnight; we went from a small company with a few employees to a much more substantial company with over 50 employees. Four years later, we are still a small business, composed of 50 hard-working people, dedicated to bringing change to citizen engagement, though technology and innovation.

As we move ahead in 2014, iConstituent will continue to refine and focus its business strategy. So far, 2014 has gotten off to a great start: we released a new version of our core product, Signal CRM and our Constituent Gateway eNewsletter PLUS is one of the most widely used digital communications tools for elected officials in Congress and throughout the country.

One of our early offices with no furniture.

One of our early offices with no furniture.

An old musician friend of mine once told me many years ago that “my head is in the sky, but my feet are on the ground.” This basically sums up iConstituent – we dream big things, but work endlessly to bring incremental, but substantive change, to the way government and people connect.

To My Competitors: Time to Step it Up

This week,  some of our competitors had a wake-up call. They learned that less than strict adherence to industry best practices when sending bulk email will result in getting blacklisted by major worldwide anti-spam organizations. The ones who suffer the most: their government customers and the constituents who receive information through bulk email. Our industry can do better and really needs to step up their game. iConstituent has been following industry best practices for years now – since we entered this market well over 10 years ago. Since our inception, we have successfully sent billions of messages throughout our years of dedicated service to government.

But, there are many vendors in our market who need to step it up.

Some government entities are experiencing serious bulk email delivery woes right now. Today. Why? Because, the basic principals of sending bulk email have been ignored by a few who don’t see or understand the importance of maintaining high standards for their customers when it comes to sending bulk email. There are industry standards that must be adhered to when sending bulk email or they risk their customers critical communication getting trapped in spam filters. Because some federal and state government entities purchase email lists, the challenge of sending bulk email is even greater; anti spam organizations, like Spamhaus, make it tougher for email to get past their barriers. Hidden spam traps are everywhere. One wrong step or best practice ignored will result in poor email delivery or even worse, no email delivery. So, what can be done to improve delivery of bulk email sent from government entities to their constituents? A lot, actually.

If you are a staff  member in a government office using a bulk email vendor, there is much that is not within your control. You must rely on your vendor to manage your IP reputation and list hygiene (and hope that they adhere to a myriad of other industry best practices). However, you should also be aware of some basic reporting that most reputable vendors provide. Without these key statistics, you will be in the dark as to the success rate of your bulk email delivery and overall emailing reputation.

There are three basic statistics that you may need to consider when sending your bulk email; “Open” and “Click Through” rates only tell you part of the story. It’s the Delivery Rate that is key.

  1. Delivery Rate: The Delivery Rate is different from “open and click through” rates. The Delivery Rate gives you the total percentage of your messages delivered. It follows a basic formula: Total number of emails sent LESS (Total Soft Bounces + Total Hard Bounces) = Total Delivered (Delivery Rate). Seeing this rate will indicate (at a glance) the success of your mailing. A low Delivery Rate indicates that there is a problem with your message delivery (i.e, blocked by a spam filter, etc). Incidentally, there can be no such thing as a perfect delivery rate; every mailing will have hard bounces and soft bounces. It’s unavoidable.
  2. Hard Bounces: These are emails that are invalid (for some reason or another). They simply cannot be used any more. Industry best practice is to remove these addresses from your list every time you mail. That’s correct: Hard Bounces should be removed from your list with each bulk mailing effort. Over time, your email list will shrink; there is a natural attrition of email addresses in every list. Email lists are always dynamic and never static, so list hygiene is a constant effort. Continuous mailing to Hard Bounced emails will result in poor IP reputation and thus, being blocked by spam filters.
  3. Soft Bounces: These are emails that were not delivered due to an unexplained reason. However, looking at this list will give you a lot of information. For example, if you see a lot of emails with the Yahoo.com domain, this would indicate that Yahoo has blocked your email. Knowing this will help you correct the problem and fix this issue for the next mailing. Not knowing, worsens your issue and drives your Delivery Rate down.

You should note that there are many other industry best practices that I am not touching upon in this post related to content creation, feedback loops, IP reputation and so on. But, the above three points are what I consider to be a basic starting point in understanding the effectiveness of your emailing TODAY. Poor delivery rates, high numbers of hard and soft bounces should give you cause for concern – and, the ability to make changes.

I have been talking about good bulk emailing practices for years now. It’s something that iConstituent is great at doing – sending bulk email. It’s important that constituent mail is sent responsibly and correctly; ignoring industry best practices is not an option any more. Vendors who sell services to the Members of Congress and other branches of government (other than iConstituent), need to improve their game and better adhere to industry best practices. Gone are the days of “email blasting,” and hoping for the best. In fact, those days were gone many years ago. We encourage our competition to step it up.

Thoughts on 2014 – Citizen Engagement in Congress

How will diminishing office budgets in the Congress affect citizen engagement this year? Before the Sequester, Congressional offices spent thousands of dollars per month on telephone town halls, mass email communications and other basic outreach services to communicate with their constituents. There was a positive benefit from these services.

The Sequester is definitely taking a serious toll on how Congressional offices manage their office budgets, and citizen engagement is an unfortunate casualty. Congressional offices have less money to spend on constituent outreach services. Yet, this doesn’t mean that citizen engagement is less important than before. In fact, the demand to engage with citizens is ever increasing and not diminishing: elected officials should not cut back on their citizen engagement strategies. Not now, not ever. Instead, their challenge is to find new and better ways to connect with their constituents using fewer resources, both human and financial.

In the long run, I strongly believe that budget cuts will help to improve citizen engagement. Why? Tighter Congressional office budgets and leaner staff, will force Congressional offices to do more with less. Fewer resources will force Congressional offices to become more efficient and spur innovation in citizen engagement; Congressional offices will seek creative ways to maximize their staff and office funds because they have to – otherwise, they will fail in their mission to serve their constituents. Gone are the days of bigger budgets and ample resources. They must learn to operate on lean, mean, budgets – much like any small business. Leveraging low cost technology solutions, Congressional offices will discover new ways to connect with their constituents.

Some of my thoughts for 2014:

Sentiment analysis; iConstituent introduced sentiment analysis software to the Congress in 2009 with little sucess; most offices simply did not know how to turn the data into actionable information. The software provided a rich set of information to Congressional offices hoping to better understand how to serve their constituency. However, the question quickly became, “what do we actually do with this information and how do we turn it into action?” Though, fairly mainstream at this point, sentiment analysis software is not widely used in government. We may begin to see the use of sentiment analysis software in the Congress this year (again). Though, I believe the same issue remains; what do you do with the data? How do you turn it into actionable information once you have it? How do you use it to better serve your constituents? Aside from the “coolness factor,” it remains to be seen how Congressional staff will actually use this data.

Social media advertising; Congressional offices are spending money on Facebook ads to essentially market to their constituents. Though, some blogs, government watch dog groups and news media are critical of this practice, I believe it has tremendous merit. What’s not taken into account is that social media ad buying in Congress is actually saving taxpayer money; social media ads are less expensive than direct mail pieces – and more effective. The job of an elected official is to serve his/her constituents. Social media is an inexpensive and effective way of accomplishing this. I predict an increase in social media ad buying this year in Congress. That being said, it will still be dwarfed by the amount spent on Franked mail pieces.

Finally, given the state of Congressional office budgets, it’s doubtful that direct mail (Franked mail) will see an spending uptick. Though, it’s still the biggest expense overall with regards to constituent outreach, it has been on the decline over the last few years. The use of social media and mass email has taken the place of direct mail in many Congressional offices – and, I believe this is a good thing.

2013 in Review

2013 was a rough year for most government focused businesses; the Sequester and government shut down had a negative impact. However, it also pushed many of us to rethink our business model, and to come up with new ways to connect government and people. iConstituent was formed nearly 12 years ago, out of a simple garage in Anaheim, California. No venture financing, just the blood, sweat and tears of its founders. We had developed a simple, but robust, digital contact tool that allowed elected officials to communicate with thousands of constituents, while tracking results and reducing paper mail expenses. It was a simple concept that took a while to catch on. There were some early adopters of the product, but many elected officials today still do not use this system (or competing systems) to efficiently communicate with their constituents – preferring to spend tax dollars on expensive paper mail instead. Despite the challenges of my industry, iConstituent forges ahead with new and innovative ways to connect government and people – I am proud of iConstituent, its hardworking employees and customers. Together, we are pushing American democracy forward by enhancing the dialog between government and people.

Connected Government is my personal blog. I will share my thoughts and opinions on matters related to citizen engagement, government to constituent communication and more. Thank you for visiting Connected Government.