Marcomm agencies: You’re next on cyber attackers’ hit lists

by | Aug 2, 2019 | Analysis, Public Relations

When was the last time you reviewed your agency’s cybersecurity policy? Do you even have one or know what to do in the event of a data breach? Do you know how a breach would impact your clients?

Today, marcomm agencies have unknowingly become a vulnerability to their clients. The fast-paced, deadline-driven world of these agencies presents an opportunity for cyber criminals to access lucrative client data. And without a plan in place, your agency could lose clients, or even worse.

Agencies are a prime cyber target

For years, cyber attackers spent their time and energy breaching large corporate enterprises for financial gain. But ever since enterprises have cracked down on cybersecurity policies, attackers have been looking for ways to access this data with the least amount of effort. Unfortunately, they don’t have to look very far. The supply chain of partners, vendors and professional service firms presents access to confidential data and information across multiple team members, offices and devices. Agencies, in particular, have access to sensitive client information including competitive intelligence, market value estimations, future deal announcements, product plans and more.

Simply put, cyber criminals are looking for the weakest link in the chain to streamline data theft, and marcomm agencies typically do not have the time, money or resources to make significant cybersecurity investments.

For example, X Social Media, a Florida-based advertising firm that uses Facebook to run ad campaigns on behalf of law firms, left a database unprotected, allowing criminals to gather information on advertising campaigns, medical malpractice cases and sensitive medical information about U.S. military veterans. Not only were attackers able to gather sensitive business and legal information, but also over 150,000 names, email and home addresses, phone numbers and medical information—all of which can be used by cyber attackers to perform account takeovers, costing individuals and firms valuable time and money.

Agencies are open to new risks as well

The 120,000 marcomm agencies in the U.S. and thousands more around the world need to take steps to reduce risk. Some agencies are proactive and have activated policies in case of a breach, but there are new and increasing risks that most agencies have not realized.

For starters, many agencies have adopted flexible work programs to benefit employees. This includes bring-your-own-device (BYOD) and remote work policies that unintentionally present opportunities for attackers. Without enforcement, employees may ignore critical software updates on their devices—leaving open backdoors for attack. Remote work also increases the likelihood of employees connecting to unsecure WiFi, potentially creating a breach opportunity.

In addition, cloud apps, such as Office 365, G-Suite, Dropbox and Slack, have all become a part of agency office norm, but are actually vulnerable and frequently targeted in cyberattacks. They’re prime vectors for adversaries to initiate a data breach due to the apps’ lack of security against advanced techniques, requiring minimal effort from attackers to gain access.

What steps can agencies take?

In order to protect against cyberattacks, agencies must begin to take behavioral and procedural steps in securing data. Providing education security trainings for employees is a great place for agencies to start. Other safeguards to limit risks are:

  • Conduct an agency risk assessment in order to determine where the greatest vulnerabilities lie.
  • Implement a technology policy requiring employees to update all devices, including personal devices used for work, when prompted to do so.
  • Set up advanced password protection so unauthorized users can’t easily compromise data via password theft or leaks.
  • Secure inboxes and cloud apps, because 1) more than 90 percent of attacks begin with a malicious email, and 2) cloud app security has proved to be lacking in advanced protection.
  • Purchase cyber insurance so your organization can be more resilient to attackers.
  • Create an incident response plan so all employees, clients and stakeholders know how to react during and after a breach.

Agencies are built on creativity and savviness, but by not taking steps to protect the shared ideas and information between client and agency, companies are risking regression. Not only will agencies suffer financial loss as a result, but also risk internal and external damage to their reputations, which can take years to rebuild.

Ultimately, attackers recognize agencies for what they are—custodians to incredibly sensitive information about their clients—and with little to no security in place, it’s not a matter of ifan attack takes place, but when. Without a plan in place your clients, and your agency, will suffer.

Daily PR Updates

Essential PR industry news, opinion, and analysis delivered to your inbox daily.

Dror Liwer
Dror Liwer is co-founder and CISO at security-as-a-service firm Coronet

RECENT ARTICLES