"Social media exploitation - Facebook scams in particular - has officially taken the crown for the most commonly used method into an organization's network", according to a blog by ZeroFox, quoting Cisco's 2015 Midyear Security Report.
As I've been telling anybody who will listen, cyber security is the challenge of our day, and marketers need to take it seriously.
To gather and pass on cyber intelligence, I interviewed Joseph Schramm, VP of Strategic Alliances at Beyond Trust, a global cyber security company dedicated to proactively eliminating data breaches from insider privilege abuse and external hacking attacks.
How has Cyber Security Become Marketing's Responsibility?
Marketing collects tons of Big Data and - in the simplest terms - if malicious actors get to your data, your brand can be tarnished.
"CMOs are tasked with brand management, and a brand's reputation is likely to be the most visibly damaged asset in the aftermath of a breach. Likewise, data-driven marketing is fueled by customer trust. Preparation, protection and responsiveness are key to containing the damage and preserving that trust.
The cyber stakes are higher than ever before, and we're not just talking about personal information and identity theft any more. High-level corporate secrets, vital infrastructure and brand image are constantly under attack." - Steve Durbin, Managing Director, Information Security Forum (ISF).
You might have heard by now that the majority of security threats come from the inside - your own employees are most likely to jeopardize your cyber security, either due to naiveté or because they are bad apples.
Source: Security Intelligence via IBM.
Of course, the list of external malicious attacks (counting for about a quarter of all breaches) is increasing, including phishing, hacking, mimicking, click fraud, malvertising and the next thing you haven't heard of yet.
To quote Steve Durbin once more:
"With the increased use, integration and interconnection of mobile devices, the network perimeter is blurry and porous, complicating security efforts. Marketers must incorporate security frameworks into their strategic marketing plans and determine how to solicit and deliver valuable customer insights safely."
Hence, I call brand and reputation management one of marketing's key responsibilities in 2016. Protect your customer data and don't end up in the news for the wrong reasons.
So What Can Be Done?
Of course, appointing a Chief Security Information Officer (CSIO) is great if you have the resources, and collaboration between executive functions is a must. But companies of any size can create a security culture by educating their employees about (ever evolving) cyber threats and limiting admin privileges to sensitive data.
Data-driven marketing has been a key driver of competitive differentiation via improved customer experience, but it also means that marketers are collecting, storing and accessing more data than ever before, and as such, marketing has become a big hacker attack target.
Personally, I don't see a way forward without using technology and services to protect a brand's reputation, even though that might be a daunting prospect for many companies. If anything, I see the cyber threat growing.
Data-driven Marketing Relies on Technology = Digital Transformation
An acknowledgement of the inevitability of digital transformation and the need for technology in modern marketing has been the creation of the role of the Chief Digital Officer (CDO); even though currently only 20% of companies have one. As an Ex-SAP employee, I've been following with interest how Jonathan Becher moved from being SAP's CMO to becoming their first CDO.
According to CIO.com, CMOs are starting to outspend CIOs. Sarah K. White writes, "CIOs were traditionally at the helm of technology adoption, but as more marketing departments use their budget on technology spending, the role of the CMO in IT is rising".
As a marketer, you are part of this movement, no matter what your role is.
Do I Have Your Attention?
In the following interview, Joe Schramm provides answers on how you can protect your brand and customer data:
Natascha: Is it actually possible for a brand to guarantee the safety of their customer data?
Joe: Honestly, No. There is no ambiguity here. There are just too many attack surfaces available to the bad guys to go after and it is growing at a rate that exceeds the cyber communities' ability to protect.
Furthermore, the attackers' level of sophistication is very high. The best we can do at this point is to continue to drive more proactive and preventive measures into our infrastructure. Solutions that provide a high degree of automation and are low-touch from an administrative standpoint are key.
There is a massive shortage of skilled cyber professionals in the market, so for a lot of organizations, even if they wanted to purchase and deploy more advanced solutions they may not have the manpower to do so.
I'm hopeful that the use of emerging technologies like UBA and AI will start to tip the scales in our favor. Firms like Cylance and Core Security are making good use of AI in their solutions but even Cylance claims only 99% and not 100%. BeyondTrust is a good example of a solution stack that is making use of UBA and will continue to advance that going forward.
Natascha: What do you see as the three biggest cyber security threats to brands in 2016?
Joe: Reputation damage is certainly number one, business disruption/continuity is another big one and the first two lead to number three, which is financial losses that stem from customers' unwillingness to spend and/or an inability to transact business.
The example of the day is the reported Wendy's breach. Have I been to a Wendy's recently? Sure. Did I use my debit card for the purchase? You bet. Do I now need to worry about my bank account? Of course. Will I feel good about going there any time soon? Probably not.
I had two other issues in the last two months involving credit card fraud with two different cards. One, I believe, is tied to a breach at the issuing bank. The other is tied to only one of three possible purchases I made through an online retailer. It's madness.
Natascha: What options do marketers have to keep their companies and client data cyber safe?
Joe: I think there are a couple of options.
There are at least a couple of primary ways to look at it:
- How do I prevent the breach?
- How do I contain the breach once it's happened?
- How do I mitigate the risk from recurring?
For number one, there are some new and emerging solutions that are more proactive and predictive in nature. Organizations need to adopt more automated ways of assessing and monitoring risk through the lens of the attacker.
For number two, in addition to creating the "walls of defense" organizations need to do a better job of protecting the keys to the kingdom. Identity, password and privilege management are all important to get control of. Once the bad guy is in the hotel, you need to prevent them from getting access to the elevator and ultimately the room, where all the important stuff resides.
Finally, number three, to solve the problem, you need to understand and not just throw another technology and vendor at it. Sometimes, simple changes in policy and behavior can mitigate the threat from happening again.
Natascha: Target is one of the companies that has drawn public attention to the dangers of third parties, when it comes to cyber security. It seems that so many times there is a weak link in the chain that we can't control. Or can we?
Joe: Right, this is very difficult and as I mentioned earlier, the chain is getting longer. There are more attack surfaces and entry points for the bad guys to exploit.
Mobile devices, IP-enabled industrial control systems, even our home appliances, just to name a few, are developing into new attack surfaces that can be exploited.
- Applying proactive thinking and approaches to the problem will help.
- Layered defenses will help.
- But there are more layers to protect and more connections that exist. It's a complex problem that is growing exponentially.
Unfortunately, in the case of Target, they taught us that teams need to be honest about the problems they have, communicate the real threats, and build a plan to mitigate them, and not ignore threats from any location.
Target did sign off on compliance requirements but ignored fundamental best practices that contributed to the breach. They've gotten a bad rap not only because they were breached, but the fundamentals pertaining to security from the endpoint to database and IoT where never resolved or probably just overlooked due to lack of expertise/manpower, cost to remediate, or just plain denial.
Natascha: Let's take a detour to some of the basics, what are three things our readers can do today to improve their chances of staying cyber safe?
Joe: I think on a personal level there are a few things you can do:
- Password rotation... change them frequently. This can be painful because they can be hard to remember. I probably have over 20 sites with usernames and passwords that I try to change with some level of frequency. Using complex passwords is ideal; keeping track of them is not. Consider using an app that will help you manage that. Whatever you do, don't write them down.
- This one is not entirely in our control as consumers, but the use of two-factor authentication is another good idea. Adding a layer of complexity for access to important sites like bank accounts, etc. is very important. Some people complain about this - I complain if an important site is NOT requiring it. If you think a site should have this and they don't, go make some noise about it.
- Make sure your credit cards are current with embedded chip technology. The rub here is that only a fraction of merchants have POS devices with chip readers, but I expect this to change quickly and become more mainstream.
- Make sure your home wi-fi is secure and never do anything important (i.e. online banking) over open public networks (i.e.: Starbucks). Even doing online shopping over these networks is risky, as your credit card information is probably not encrypted.
Natascha: Are there any particular tips for social media and cyber security? Is there a way to make sure a tweet I send does not have a compromised URL or my banner is not malvertising?
Joe: I just recommend using common sense and think of all the security training you have been exposed too.
A well-crafted attack can compromise anyone - and I mean anyone, even the most trained and experienced security individual. So, before you tweet, check the link. If you have space, use the full URL verses a shortened one, and if possible, never send questionable sites publicly.
Always think safe computing before you hit send - sounds corny, but it works. There are some companies out there entering the market who are focused on social media security. This is an area worth investigating to see if they can help in that regard. ZeroFox is an example of a vendor focusing on this segment.
Natascha: Bonus Question: What should a company do if they find out they got compromised?
Joe: I think they need to act very swiftly, both in terms of dealing with it internally (determine cause, assess scope of damage, etc.) but also externally in terms of notifying their customers.
They should also be proactive about offering what they can to help offset the risks to their customers. Certain industries are required by law to disclose (i.e.: Healthcare), I think all organizations should follow suit and be responsible. You also need a plan. If a breach occurs, what is your documented strategy for how to deal with it?