When we think of cyberattack victims, we generally think of large banks, electrical grids, military contractors and government departments. Marketing teams might not see themselves as targets, but together, with other professional services companies, such as law and accounting firms, they represent the soft underbelly of the economy.
Most marketing agencies are relatively unprotected from attacks yet hold highly sensitive client information. For example, they often have privileged access to pre-public market-moving information, such as product announcements and earnings releases for their clients. Intruders can use this information to great financial gain.
In one five-year cybercrime campaign, Ukrainian hackers raided newswire services in New York and Toronto to get advanced copies of press releases. They passed them to fraudsters in the U.S. who traded on this information, making millions in profits.
Along with individual survey resits and marketing lists, marketing companies may also hold personally-identifiable information (PII), such as financial information like bank accounts and credit card numbers. Losing information like this in a data breach could leave them on the hook for financial penalties from regulators, not to mention multi-year credit protection costs, or even class action lawsuits.
Marketing teams can lose this information in several ways. The first is by using porous technologies that can unintentionally leak information.
Marketing teams often work with distributed teams, such as designers, writers, web programmers, and experts in online metrics, or subcontract any one of these services. They use a range of online technologies to get the creative work done and then share it with different organizations. Marketing departments’ online tools extend to marketing automation, CRM and other collaborative services, like Trello and Slack.
In many cases, this fast-moving approach creates the chasm between marketing and the IT security team, which can find it challenging to secure what the creatives are doing.
According to RSA’s 2018 CMO survey, 17% of IT professionals believe that marketing departments are likely to use shadow IT resources, procured independently from IT and therefore falling outside its management. IT employees are almost twice as likely as marketing employees to think that marketing uses workarounds to circumvent security controls, whether intentionally, or unintentionally.
These tools can be a playground for intruders. For example, Adobe Acrobat – a hardy perennial for marketing organizations – is a constant target of malware attacks. Trello, which is used by 6% of in-house marketing departments, has been a security nightmare for users who misunderstand its settings. Companies have unwittingly exposed internal data via the service, including login credentials for social media and other online resources.
Another popular tool for marketing professionals – and a major source of breaches within the marketing industry – is the electronic document signing service DocuSign. In May 2017, the company admitted that a series of malware phishing attacks targeted its customers after its own computer systems were breached. The attackers used email addresses stolen from DocuSign to distribute malware in the guise of genuine documents from the company.
Attackers also use DocuSign as the basis for credential harvesting. They send emails purportedly from the document signing service that, instead of delivering malware, will point victims to a fake website and persuade them to log in using their DocuSign passwords. This gives the attackers access to their DocuSign accounts and all the sensitive information therein. eSentire, which monitors internet protect traffic around the globe, found that DocuSign phishing attacks hit marketing the hardest of all sectors in Q2 2018.
Phishing can also spill over into another dangerous form of attacks that similarly relies on human weaknesses: business email compromise (BEC) attacks. After scoping out a victim at a company, the attacker will mail them with an urgent demand to pay an invoice. This mail will often appear to come from a senior executive within the company, whose email account the hacker may even have compromised. The victim, flustered by the sense of urgency and the apparent authority of the email, will often pay without question.
BEC attacks affect many different industries. In the marketing sector, eSentire has seen attackers threaten victims with trademark infringement suits unless they pay up to settle a trademark violation. The allegations will be fabricated, but rather than checking the validity, marketing departments will often pay up to make the problem go away.
In many cases, it is easier for criminals to simply encrypt data and demand a ransom than it is for them to steal it. Ransomware is a fast-evolving category of malware that has affected many different sectors in the knowledge economy. Marketing and advertising companies are no exception.
In June 2017, advertising giant WPP fell victim to a ransomware attack that blitzed its network, causing many employees to give up and go home as they lost access to files and email. The company was forced to mail its various agencies warning them to disconnect Windows-based computers and servers. While WPP was simply a drive-by victim in a massive ransomware campaign happening at the time, it throws the dangers for marketing organizations into sharp focus.
Protection from Attacks
How can marketing departments make themselves harder to attack? Here are some key pointers:
- Employee education – The term PEBKAC sums it up: the problem exists between the keyboard and the chair. The biggest cybersecurity vulnerabilities are always human. Train employees to spot phishing attacks and avoid clicking on unrecognized links or blindly opening files. This involves not just regular education sessions, but a broader campaign to drive security culture into the company.
- Due process – Put controls and protocols in place for dealing with the creation, storage, and dissemination of data – especially sensitive marketing data. Have policies to control who has access to data and how it is sent (encrypt the data!). When it comes to finance, ensure that there is a chain of command and a separation of duty, so that it takes multiple people to sign off on transactions. A little friction can be a good thing.
- Work closely with IT security – Security considerations can easily slip through the gaps unless they are managed properly. Engage IT departments to help vet and manage the technology that the marketing department uses. Try to find company-approved options with strong security controls in place. If you don’t have a dedicated internal IT department or security team, then hire an outside professional to help.
- Sanitize access – Get IT’s help setting up two-factor authentication to make access more secure. Avoid sharing passwords, even if it means paying extra for more access to online accounts.
Cybersecurity is a wide-ranging activity with many moving parts, but armed with these basic measures, marketing professionals will at least have a fighting chance at protecting their data from compromise. A robust cybersecurity strategy will help marketing agencies to get their clients’ messages out, while preventing harmful agents from getting in.