Subscriber Discussion

Customer Case Studies - How Much Is Too Much Detail To Give Out On The Web?

JH
Jim Hall
Mar 27, 2014

Link hoppin' I happenstanced across a couple of dealer web sites that seemed to have a whole lot of detailed information about their client getups, apparently for the purpose of showing how good a job they do at keepin' their clients secure. Didn't seem altogether right to me...

Do y'all have any general guidelines when it comes to balancing the marketing needs of the business with the security of the client? Or is just the Wild, Wild, West out there?

JH
John Honovich
Mar 27, 2014
IPVM

Most manufacturers share case studies writeups to their end users before publishing to make sure they have permission and that there are no issues / details that they do not want disclosed.

However, I have seen some companies just run case studies on their own. I was the victim of one when I was an integrator. An idiot manufacturer ran a press release unbeknownst to us and our military end user. Suffice to say, that created a lot of problems.

So the guideline is run things by the end user and get explicit permission.

JH
Jim Hall
Mar 27, 2014

So the guideline is run things by the end user and get explicit permission.

Well in this case I think the owner is aware of the copy, since his name was at the bottom.

But on top of that it has several close-up pictures of the actual gear mounted in their outdoor locations. The power runs and circuit breaker dependencies seemed to me unnecessary information to post out in the open, on a publically available website.  These page can be googled by just using the "customer name" and "security system".  And there's a whole mess of other customers detailed specs displayed also. Matter of fact all customers galleries shown contain this level of detail.

So I guess I what imma askin' is would you even ask your customer if it was ok to publish this level of detail on a googlable page?  Cuz the reality is that if your customer is counting on you to make him safe, he is gonna trust your opinion on what is safe. Therefore you shouldn't approve of anything that would make him less safe.  Tell me I'm just a nervous Nellie and I'll shut my trap...

JH
John Honovich
Mar 27, 2014
IPVM

Just because his name is there does not guarantee he gave permission. He probably knows about it but unless the manufacturer notified him, he may only find out if someone stumbles upon it.

Companies use IPVM in promotions periodically but that does not mean are aware (nor allow it).

In the case you are sharing, this is much lower level than I typically seen and something a reasonable end user would likely object to.

Avatar
Ari Erenthal
Mar 27, 2014
Chesapeake & Midlantic

I move we make "googlable" a real word, spelled just like that. All in favor?

RW
Rukmini Wilson
Mar 28, 2014

No link? That's not like you Jim... ;)

JH
Jim Hall
Mar 28, 2014

Well now its not really about the actual website, it wax more to just to kick around the guidelines in general, than to sling mud. That's why I took out any identifying names or places from the images.

My mammy didn't raise up no snitches! :)

RM
Ravi Malhan
Mar 27, 2014

My two cents :

" How much is too much " : the only entitled judge is the customer whose site is being described. In my country, you can land into serious trouble if you have such marketing case studies without clear prior approval of the customer.

Secondly the minute technical details in the case study that you forwarded are so boring. Does not make a great reading. It not only compromises sensitive customer details, it also ends up as ordinary marketing.

JH
Jim Hall
Mar 27, 2014

Howdy Ravi!

To be fair to the dealer, I think at the very least he has told'em that he made a write-up and such. I cropped out the part of the image that had the customer name as well as a customer contact person (to give a reference?) with a phone number. 

It not only compromises sensitive customer details, it also ends up as ordinary marketing.

That was more my general point, why ask your customers to do somethin' that could compromise their own system? Even if they would agree. Just so you can sell more systems?  

In this case it looks like the project is part of public infrastructure, so who is the real owner anyway? What would you even say to a customer if their system was taken out like an 'inside job'?

Here's one of the three detail pictures:

Avatar
Ari Erenthal
Mar 27, 2014
Chesapeake & Midlantic

While I normally think security through obscurity is silly, giving away the entire store is just as silly. I would have no problem doing a case study in most cases- better to let any interested parties know that security exists and is taken seriously- but I'd keep a few details to myself, including passwords, vulnerabilities, and a detailed list of the security staff's home addresses and greatest fears.

JH
Jim Hall
Mar 27, 2014

Ari, do you have a client list that you use for marketing? What sortsa things do you share? How do you share, public web, private web, nda?

Avatar
Ari Erenthal
Mar 27, 2014
Chesapeake & Midlantic

We don't share nothing, but that decision is made over my pay grade. That said, we're just resellers, not integrators. When I was working for integrators, I encouraged them to share case studies in, for example, local papers and location-specific or industry-specific blogs.

JH
Jim Hall
Mar 27, 2014

Thanks for sharing about not sharing. ;)

And congrats on the birthin' of the fruit of your loins!

How many little trunkslammers does that make?

Avatar
Ari Erenthal
Mar 27, 2014
Chesapeake & Midlantic

Three little trunkslammers bumping into things, not documenting runs properly, scribbling work orders and invoices with crayon, and generally being unprofessional.

UE
Undisclosed End User #1
Mar 27, 2014

Jim, perhaps you may blowing things out of proportion a bit. Maybe a bit of fear-mongering to be talking about 'inside jobs'! This is bread and butter cctv stuff, not Oceans 11!.

The great majority of hoodlums and b&e types aren't gonna think to look stuff up on the internet to see how the main breaker is wired to the switch or use google earth or read the Engenius manual to find the where the reset button or any of that crap, Sheesh! Unless they are storing gold it doesn't have to be Fort Knox.

You say the customer probably knows that at least some of his details are in google, why not leave it at that?

Maybe the installer gave him a deal on the system asked for a customer reference in return for what the installer knows in his heart is at best is a slightly elevated risk of incidence. Or maybe parts of it are made up to trip up the would be internet theives. Had you considered that possibility? But you do need to consider the fact that installers need to do marketing like anybody else and so just like you can't do a job for no pay, likewise you shouldn't have to do a job without PR. Its about putting food on everybodys table.

Hope I didn't seem to harsh, if I did its probably just because I just ended a 10hr shift myself. Good points though, Jim.

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions