Following up on our earlier security breach

About a week and a half ago, we reported details on a security breach at Emma that compromised the data of some of our customers. Today, we want to post a quick follow-up and share a few more details with you about what we've been working on since then and what's next.

+ We've conducted more security audits both internally and with outside advisors, and those audits have come back clear.

+ We've continued round-the-clock monitoring of our systems to prevent any additional abuse.

+ We've kept working with customers whose lists were compromised, and we've posted some some education here on the blog for customers who've been creating new, more secure passwords.

+ We'll be rolling out our new, more secure password system to all Emma customers in the near future.

+ And of course, we've continued with our standard security and data protection regimens. The safety of your data isn't a goal we'll ever just check off the list and be done with. Security here is always evolving, always improving, and you can always trust that it's a top priority for every Emma staffer.

As always, don't hesitate to let us know if you have any follow-up questions of your own.

The Brainiac Guide to Welcome Email Automation

About our new password system

The password system upgrade we released to the majority of Emma customers last week is designed to keep you and the rest of the Emma community as secure as possible. Providing great service means providing secure service, and these password system changes are an important part of protecting your data.

Of course, we know that managing a growing list of increasingly complex passwords is challenging (and can be frustrating, too.) We thought we'd share a bit more insight into why complex passwords matter and how to make managing them a little easier.

Why the password complexity?
We love keeping things simple here at Emma, but complex passwords are harder to crack — and that's important. Online security for companies like us is a layered system, and we're working on all of those layers, all the time. This password system is one of those layers, and having complex passwords in place gives us extra time to manage and contain any security breach that may occur.

For example, a password with eight characters using just numbers is easy to crack — it would take an average hacker about 10 seconds. If you take that same eight-character limit but use upper and lower case alphabetical characters, that password would take 62 days at most to crack. Add numbers to the mix, and you end up with about 253 days at most. This estimated timeframe goes out to 23 years if you add in punctuation characters. (And while 23 years may seem excessive, we're planning for a future that certainly holds faster computers, more powerful cracking programs and more persistent and skilled hackers.)

Pairing these new complex passwords with Emma's already sophisticated encryption makes it extremely difficult for any hacker to decipher passwords, giving us time to address any security incidents that happen and protect the entire Emma community in the process.

Password details and tips
Your new password will contain at least eight characters, including a combination of capital and lowercase letters, as well as at least one number and one symbol. And just because a password has to be secure, it doesn't have to be difficult to remember. Try a word that's familiar to you, and then meet the security requirements by adding symbols and punctuation. Or take the first letters from a familiar phrase or some song lyrics, and then substitute some of the letters for those more secure elements. (See more tips for creating and remembering complex passwords.)

We also recommend that you change your password at least twice a year … maybe when the time change happens and you're checking the batteries in your smoke detector. It's also a very good idea *not* to use the same password you use for other sites. If it's helpful, you can use a password vault application. These handy programs let you store and organize all your passwords in one place and access them with one master password. Some folks use KeePass, for example — if you've got a favorite, tell us about it in the comments.

Thanks for understanding. We appreciate every single member of our Emma community, and we know that you're trusting us with an important part of your organization. We want to do all we can to honor that trust and work with you to create even more email marketing greatness.

Details on a recent security breach at Emma

We're very sorry to report a recent security breach in Emma's system that has resulted in some Emma account information being compromised. Though a relatively small number of accounts are known to have been affected by the breach, many more accounts were exposed to potential threat, and we've taken a number of precautions (more on that below) as a result.

This morning, we emailed each Emma customer account with details on how their specific accounts were affected, but we also want to create a resource here on the blog with more information and details where we can easily keep everyone up to date.

What happened?

On the evening of September 7th, our regular security monitoring alerted us to suspicious activity and, ultimately, a breach in one of our databases. Immediately, our team began work to identify — and address — the source of the breach and investigate its scope. As our investigation has continued, we've learned that this was a sophisticated, deliberate attack with the apparent objective of targeting the email lists of customers in a particular geographic region of the world. (Since the investigation continues, we're not yet disclosing all of those details.)

In a small number of accounts (about 1% of Emma customers), the hacker was able to export email lists or access usernames and decode passwords to log into accounts and send spam. These customers have already heard from us directly, with details about the breach and an offer to help in any way possible.

In other cases, customer information — including usernames and passwords — was accessible to the hacker. For these accounts, we've expunged all previously stored passwords that may have been compromised and assigned each username a temporary, highly secure password. This step means that any login information the hacker has is unusable. Those customers will be asked to create their own new passwords the next time they log in. We've put in place new password standards to ensure those new passwords are strong and secure, and we'll be rolling those changes out to the entire Emma community soon. See our tips for creating strong passwords.

Some accounts were not affected at all, and at no point was *any* customers' credit card information accessible. That's all stored separately by a third party and is heavily encrypted.

Is it fixed?

We've thoroughly secured what we believe to be the source of the breach, enlisting the help, advice and scrutiny of outside database and security experts. In addition to the regular security scans already performed by an outside monitoring firm, we had an additional audit performed Wednesday night. That audit came back clear. We've set up additional sophisticated, around-the-clock monitoring to protect against and shut down any further abuse. And as we mentioned earlier, we've shut off further account access by this hacker by replacing compromised passwords with secure temporary passwords.

Each and every person who works at Emma knows that a breach in the safety and security of data acutely impacts the brand and business our customers have entrusted us with. And we're deeply sorry not to have met that trust. Going forward, we're committed to doing whatever it takes to make Emma's systems impenetrable and are working tirelessly to make sure things like this don't happen again.

If you have follow-up questions or if there's anything we can clarify, please don't hesitate to let us know. We're here to answer your questions and help in any way we can.

The Emma team

Tips for creating a complex password

The tough part about creating a strong password isn't making it up … it's remembering it. So the challenge we all face is creating passwords that are both hard to guess *and* easy to remember. These tricks are ones that security-minded geeks like me use to create effective passwords that are both memorable and strong.

Start by creating a base word by using one of the following ideas:

1. String together the first letters of a familiar group of words. Song lyrics, poems and famous quotes work great.
2. Connect small, unrelated words together.

Once you have your base word, modify it by using some of the following ideas:

  • Capitalize a few letters, while leaving the rest lowercase.
  • Substitute numbers and symbols for similar-looking letters.
  • Add some symbols to the beginning or end of the word (this can help if your word is too short to meet password length requirements).

Here's how it comes together:

For my base word, I'll use the idiom: "Life is not a bowl of cherries."

String the first letter of each word together to form the following base-word:

Modify it by capitalizing some letters (A and C):

Make some numeric/symbol substitutions (i=!, l=1)

Finally, add a symbol (?) to get the final password:

Here's another example:

Let's string "bat," "toe" and "up" together to create the following base word:

Capitalize some letters (O and P)

Substitute some numbers and symbols (a=@, t=7)

And add a symbol (!) to finish the password:

If you always use consistent modifications, you'll be able to remember how to reform the password.

For example, you could…

  • Always capitalize the third and last letter of the word.
  • Always substitute @ for a, 7 for t, ! for i and 1 for l. (Be aware that these examples are frequently used substitutions, so it's best for you to come up with your own.)
  • Always add a question mark at the end (or two, if that's what it takes to get to the minimum password length requirement).

Remember that Emma's new password system requires at least eight characters, including a combination of capital and lowercase letters and at least one number and one symbol. Hopefully, these tricks will help you create strong passwords that meet Emma's requirements and are easy to remember.

Celebrating the email marketing greatness of 30,000 Emma customers

We just reached an exciting milestone here at Emma — we welcomed our 30,000th organization to the Emma community of email marketers.

To celebrate the fantastic work of all our clients, we're recognizing three customers from different points in Emma history. So get to know our 300th, 3,000th and 30,000th customers, and see how each is making the most of Emma and doing all kinds of savvy things with their email marketing. And thanks to all our fantastic customers for being a part of the Emma Community. Keep up the great work!

300th customer

Team Green Adventures | Campaign
Team Green Adventures, an eco-friendly outdoor adventure organization, leads outdoor treks for Middle Tennessee with a focus on health, sustainability and community. Team Green Adventures was created in 1996 by Nashville's independent radio station, Lightning 100, and they opened their Emma account in 2004. Since opening, they've created more than 450 campaigns and are now sending to nearly 4,000 subscribers, up from around 600 in 2005. No doubt their subscribers love Team Green because they can participate in activities like this. And this. Oh, and this.

Keeley Reed, Director of Team Green Adventure, says, "Emma has been wonderful to work with. Team Green Adventures does a survey of our participants every year and the number one way that our participants learn about our upcoming events is through our weekly newsletter." Keeley uses Emma's response metrics to guide their outreach. She says, "It's great to see how many are clicking on our event links and gauge which events will need more promotion. The open rate feature has also helped Team Green Adventures get sponsorships by proving that our marketing gets results."

See a recent campaign
Visit their website

3,000th customer

YWCA | Campaign
The YWCA of England and Wales found Emma in 2006, and they've been sending monthly newsletters since. They lead charity efforts to support teen health and fill their newsletter with teen stories, women-centered events and volunteer opportunities for their subscribers.

Says Kate Bailey, YWCA's Supporter Marketing Director, "Since we started using Emma in 2006, the number of YWCA supporters on our email list has grown to be larger than the number of people on our postal list. We are able to update our supporters quickly and cheaply by email about how their donations help our work and campaigns we are working on that they can join in with."

Their news reaches close to 5,000 recipients, and they're continuing to expand their email marketing strategy — in 2009, they employed welcome triggers and are seeing an impressive 52% open rate.

Also in 2009? Kate ran a half marathon in a fancy dress. Now that's a gal close to Emma's heart.

See a recent campaign
Visit their website

30,000th customer

Counter Culture Coffee | Campaign

Counter Culture Coffee is committed to "social, environmental and fiscal sustainability." They're also committed to darn good coffee. Their training centers offer classes from milk chemistry to comparative cupping, and every Friday they offer 10 am tastings at their Durham location. (What is milk chemistry, you ask?)

These roasters are also savvy email marketers. Nathan Brown, their Online Services Coordinator, says, "With Emma, we can create event-triggered emails with performance monitoring previously unavailable to us." And they offer their subscribers 20 interest areas to choose from upon signup — coffees from Africa, custom clends, espresso, origin/trip reports and more — which allows Counter Culture to segment their audience and target specific audience groups.

Sound enticing? Sign up for their newsletters here.

See a recent campaign
Visit their website

Thanks again to to all of our 30,000 customers — and the many people at each of those organizations who use their Emma service to create stylish emails and surveys every day. We look forward to getting to know even more of you on the way to our next milestone. (And we hope someone will be on hand with tasty beverages once we get there.)

Incentives, follow-up and other helpful survey know-how

Part four of four: Making sure you get some answers for that carefully crafted survey.

Giving an incentive, as Emma customer Babelgum recently did, can boost your number of survey takers.

So, you've designed your survey questions and answers, you've picked your recipient list, and you're ready to start collecting data. The next big challenge is designing your survey invitation so that people do you the honor of actually responding to your handy survey.

First, set a clear time-expectation on the front end.

This is crucial. We all hate that "standing in line at a theme park"-like experience when we're taking a survey, when after completing 18 questions, we realize we're only about 20 percent through the survey. Being respectful of your respondents' time investment is important, and setting the right expectation will keep them from abandoning your survey and jumping in line at the log flume. Here at Emma, we even did a split test once and discovered that more people took our survey when we mentioned that it would only take five minutes. (You can read about it here.)

Then, weigh in on human nature.

Using language like "we need your help" (or a milder version like "your feedback is valuable") can be a good way to get people emotionally involved. The feeling of being needed can be a powerful motivator.

Next, draw a connection between their participation and an outcome.

You can do this in two ways.

The first outcome connection you can make is results-oriented. If you're surveying your loyal customers or people who have an invested interest in your results, you can let them know what decisions you're making as a company based on the information you receive. This set of customers may be inspired to participate just from the knowledge that they will be taking part in the brand experience, or that they will be getting something from the results.

An example of a results-oriented survey incentive is the recent census survey. They launched a campaign alerting the public that the results would affect everything from budget allocation for hospitals and schools to the state's seats in the House of Representatives. That education campaign was expensive but likely had a great impact on their return rate, which was 72 percent (which is pretty good, in my opinion, for such a large recipient pool).

Alternatively, you can use a prize-oriented incentive. This can be a good option if you're not quite sure that your customers are going to participate based on their love for your brand. This naturally includes the old "you'll be entered to win a free thingamajig" incentive, which can be a nice complement to subtler incentives. The reward can range from being entered to win one huge prize (large prize with a low win percentage) to earning a coupon just for completing the survey (small prize with a high likelihood of winning). Choose what works best for your budget and which type of nudge you think will inspire your audience.

Lastly, be sure to follow up with your respondents.

The ultimate reward for taking a survey is seeing that your opinion counts, so be sure to alert your respondents of the decisions you make based on their feedback. Don't forget to close this loop, if you can – it demonstrates a devotion to your customers' opinions that is hard to beat.

More from our recent survey series:
The 'when' and 'where' of surveys
The 'why' of customer surveys
The 'how' of creating an effective survey

August design showcase: sampler edition

Welcome back, fellow lovers of style. With summer winding to a close, we're reflecting on some of our favorite stationery creations of the season. Each of these completely custom Concierge Designs achieves a perfect balance of client concept and designer imagination. Let's get started, shall we?

Riverbank Arts

Client: Riverbank Arts Centre
Emma designer: Elizabeth Williams
Design level: Concierge Design

Located in Ireland, the Riverbank Arts Centre is a venue dedicated to film, theater, music and workshops for children. Riverbank came to Emma with a unique illustration-themed website in place that changes regularly depending on the season. Their goal, however, was to create a stationery that drew in elements of each illustration without creating a season-specific design. Elizabeth pulled several elements from the website, including a watermark-style image of animated characters to echo the audience in the footer. The result is a seamless connection to the Riverbank brand that they can use confidently all year long.

Sagra Trattoria

Client: Sagra
Emma designer: Jennifer Kasdorf
Design level: Concierge Design

Sagra is one of Austin's premiere Italian restaurants. Their atmosphere is as important to them as the quality of the food – and that's saying a lot! The menu is fashioned after the bistro-style meals served in Italian railway stations, and they wanted their email campaigns to match their existing branding. Jennifer based the design on their logo and added a darker texture to give an antique sensibility to the header. Its simple, logo-focused design is flexible enough for a quick message (such as their welcome trigger mailing) or a longer newsletter featuring images of their tasty offerings.

Crystal Jones Photography

Client: Crystal Jones
Emma designer: Kelly McClain
Design level: Concierge Design

Crystal Jones is a talented photographer from Sacramento, California, who described her website as simple, clean and modern with a hint of whimsy. She loves her logo, but she wanted something a little bit playful added to the stationery. Though she couldn't pinpoint the exact element she wanted, she provided Kelly with links to other websites that accomplish that special something. Kelly chose to add concentric circles for a Méliès-style wave effect, plus some subtle texturing in the header background to add depth.

Agent06: Keller Williams

Company: Agent06
Emma designer: Jessica Peoples
Design level: Concierge Design

Angela Barnshaw is the owner and lead listing specialist of Agent 06 in south New Jersey. Having worked with Jessica on stationery in the past, Angela was confident that Jessica was up the task of combining some existing stationery elements with the colors and logo of Keller Williams. The real estate industry is a field that requires a combination of business savvy and hospitality, and that can be challenging to convey. Jessica chose flowers and a scripted font for Angela's signature. Both elements add warmth, while the Keller Williams and Agent06 names convey the seasoned business experience that's so important.

It's been a busy season for our Emma designers, and we look forward to our next opportunity to help you with some stylish stationery.

Until next time … cheers from your entire Emma Design Team.

Meet Cheekwood

How a museum used email and surveys together to make the most of a stunning Dale Chihuly exhibit.

This summer and fall, Nashville's Cheekwood Botanical Garden & Museum of Art is the temporary home to spectacular glass sculptures by internationally acclaimed artist Dale Chihuly, and the museum extended its normal hours to allow visitors to experience the exhibit in the evenings. Chihuly's work is a sight to be seen any time of day, but artistic nighttime lighting transforms Cheekwood's grounds into a wonderland and transports you — at least mentally — away from the thick, humid Nashville air to an otherworldly place.

While the folks at Cheekwood had planned on offering extended hours on Thursdays and Fridays, overwhelming support for the exhibit made them consider adding another night of Chihuly goodness to the calendar. Rather than just assuming it would be well received, they empowered their email subscribers to make the call.

With Emma's survey feature, Cheekwood sent a short, stylish campaign (using their stunning Chihuly-themed custom stationery) inviting members, subscribers and volunteers to weigh in on the possibility of making Wednesday evening yet another time to drop by and take in the exhibit. They linked to an equally stylish survey, in which they posed the question, "Do you think Cheekwood should add Wednesday evening to Chihuly Nights?" and then gave survey-takers a chance to include comments to support their answer.

The response was fantastic. The campaign containing the link to the survey was emailed to more than 13,000 audience members, and more than 31% of them opened the email. Nearly 2,000 recipients clicked on the link to take the survey, which overwhelmingly favored adding Wednesday as a new Chihuly Night.

It doesn't end there, though. The Cheekwood staff created a follow-up campaign to announce the new night and to thank their subscribers for taking the time to give their input. They even shared the survey results (a whopping 94% were in favor of adding Wednesday nights) along with some of the great comments survey-takers offered up in their responses.

This was Cheekwood's first survey using Emma, and we love the way they kept it simple. They focused their approach on learning the opinions of those closest to the organization, and they thoughtfully followed up with the outcome, letting those email subscribers and Chihuly-enthusiasts be the first to hear the good news.

Is your baby’s button ugly?

Another way effective email design can make your campaigns more effective: Get all your buttons to look just right.

I know the feeling. You've crafted what feels like the perfect email. The photo totally complements the concise and appealing description of your new service. The label for your call to action is clear. You just know people are going to click it and take that next step. Everything's ready. You take a deep breath, and send your baby out into the world. You've worked hard, and you're proud of that baby of yours. You wait for good things. And you wait. And you wait some more. But nothing happens.

What went wrong? Why aren't people clicking your call to action? Well, it's time to get honest with yourself. Your baby's button may be ugly. The label is fine. But that button design isn't going to win her any ribbons at the county fair. You see, that button doesn't have enough perceived affordances. Don Norman is credited with introducing this term to the design world, and it refers to "those action possibilities that are readily perceivable by an actor." In other words, there are certain qualities of an object, in your case a button, that help people understand what they can do with it.

Let's take a closer look at a button. Maybe you're creating a campaign to announce your new lunch menu (because your new paninis are quite tasty). Besides showcasing a great photo of said panini, you really want your customers to click that button so they can check out the new menu on your website.

The first question to ask yourself is whether it looks like a button. Not really. It looks more like a rectangle with a border. Second question, does it look clickable? Maybe. It's pretty flat, but it is different than the photo and the text. Of course, no one wants to settle for maybe – fortunately, it's easy to add perceived affordances and make that button more effective.

This revised button looks more clickable than the old one. (The fancier way of saying this is that it demonstrates a higher level of affordance.) I know it's tempting to be totally unique from a design perspective — and you can be if you keep affordance in mind — but it's often more effective to use a design convention that's already out there instead of dreaming up something new.

Sure, your button might look similar to another one, but who cares? Your audience members know that it's a button, and they know what usually happens when they click one. They don't have to figure that out. It's one less thing for them to think about. Using a button with more affordance eliminates a barrier. And let's face it, you're competing with a lot of other noise out there (digital and physical). Why not help your subscribers get to your content – and to those delicious paninis – more easily?

The “when and where” of surveys

Survey know-how series, part three of four:
Using Emma surveys can help you plan and streamline events.

Now that we've explored some of the best reasons to survey your customers and some things to keep in mind while you're designing a market research survey, let's take a look at another useful application of this free, integrated tool. Planning an event to support your business can be complicated and time-consuming to manage. But using email and surveys together can really streamline the communication and let you focus on, you know, the event planning.

Many of our savvy customers are using the survey submit button to collect event RSVP information. This pairs easily with an invitation email, which can provide event details and a link to the RSVP survey.

For example, consider this. You have an event coming up, and your goal is to invite your customers, while hopefully spreading the word to some prospective customers as well. But you need to know how many beanbag chairs to set up, so you'll be asking people to RSVP. Well, you can use an email campaign as the actual invitation, and then use a survey to collect RSVP responses.

Here's how:

  • Design a survey that asks the RSVP information you need.
  • Create an email campaign with all of the details of the event itself. This is your invitation.
  • Ask people to RSVP by linking to your survey in the email. Voilà.
  • You can even add our Social Sharing feature to your email if you'd like your recipients to be able to share your invitation with others.

This format lets you ask exactly what you need to know: Can you attend? Will you be bringing a guest? Will you be bringing s'mores as your potluck dish? (In that case, you can bet that a few Emma staffers will be there too.)

Once you've heard back from your audience, you can easily organize the responses so that you can report back to your caterer (yep, better order some more marshmallows) and get in touch with those who responded. For example, a timely "Directions and Parking" follow-up email to those who said yes can minimize both frantic inbox-searching for your clients and day-of phone calls for you. Or, after the event is completed, sending a follow-up survey soliciting feedback and suggestions can help you continue to improve.

Also, that whole link-to-the-RSVP-form-straight-from-the-email thing makes *actually* responding a lot easier for your recipients. That way, hopefully you and your staff will only have to say 's'il vous plaît' a few extra times.