5 Things Marketers Should Do After the Next Cyber Attack (And There Will Be a Next One)
Note: This article was originally published in Advertising Age on June 29, 2017.
The week after Cannes typically involves recovering from too much rosé, following up on some great meetings, and for a lucky few, perhaps an extended holiday. A worldwide cyber attack was not part of the agenda for folks across adland. It's a sobering reality that most brands and agencies are not prepared for.
This is an industry wake-up call.
Cyber security is a $445 billion problem, and some predict that figure could rise to $6 trillion by 2021. CEO and boards are rightfully worried about the risks to their business: A March 2017 report by executive search firm SpencerStuart found that 39% of board directors said they discuss cyber security at every meeting and that 40% of respondents reported their board has at least one director with cyber expertise. An additional 7% are in the process of recruiting one.
So what's a CMO to do?
In its May 2017 Cyber Insights Research Report, Neustar found that 40% of companies discovered a distributed denial-of-service (DDoS) attack through their very own customers. No one in marketing should be caught flat-footed when a cyber attack happens. For starters, marketers need to understand what type of attacker they're dealing with (see below), then proceed accordingly:
1. Identify all key cybersecurity stakeholders across the company
Everyone in marketing should know who the key players are internally at the company. Security should be everyone's job. You may have some or all of the following key roles at your company, so get to know these execs and their key lieutenants and what they do: Chief Information Security Officer (CISO), Chief Data Officer (CDO), Chief Technology Officer (CTO), Chief Information Officer (CIO), Chief Risk Officer (CRO).
2. Understand your brand's specific risks
Map out all of the customer touchpoints you have and list all of the key technologies that underpin that touchpoint. For example, a retailer needs to think not only about online and offline touchpoints, but call centers, point-of-sales systems, CRM databases, mobile applications, supply chain distribution, email and much, much more. Those are just direct interfacing technologies to customer touchpoints. You will also need to map out second derivative technologies. One retailer identified that their data breach could be traced to a third-party contractor who had been compromised while having credentials to access the company's computer network.
3. What's your role in business continuity management?
The companies that are most prepared for a cyberattack have a well-defined Business Continuity Plan, which should provide a roadmap for responding to a range or potential emergencies relating to the people, the customers, the partners, the data and the facilities that comprise business assets. How is marketing involved in your company's BCP? Do you even know what your company's BCP is? Do you have messages and communications templates ready for when there is an issue?
4. Ask questions … Lots of them
While many marketers are learning about customer data and privacy matters, this is the right time to ask more security-related questions so you can learn more. When it comes to questions, here are some to start with.
- What was our most significant cybersecurity incident? What was our response?
- What was our most significant near miss? How was it discovered?
- How can marketing help with our cybersecurity initiatives?
- What are considered our tier 1, 2 and 3 priorities during a cyberattack?
- How is the performance of our security team evaluated?
- Do we have relationships with law enforcement, such as the FBI and Interpol?
- How are we thinking about security with our supply chain partners, vendors and other partners?
- What is our plan to communicate internally and externally to all key stakeholders?
- Bookmark key websites like U.S. Homeland Security and cybersecurity thought leader Brian Krebs so you get up-to-date information.
5. Do what you do best: Market
Marketers can help their security executives with internal security marketing campaigns. Partner with these leaders to offer training, webinars, lunch-and-learns, and general security awareness to your employees. Security is a shared responsibility and we are only as strong as our weakest link. Help to build a security-aware culture that identifies and prevents possible attacks.
TAXONOMY OF AN ATTACKER
Before responding to a cybersecurity attack, companies need to know what type of attacker they're dealing with. There are 6 main species:
This is probably the most well-known type of cyber attack, which usually involves stealing some type of login credentials or hacking of systems to steal sensitive information such as financial (i.e., credit card, bank, etc.) or medical data.
Fun fact: Cybercriminals attack the healthcare industry more than any other sector, and your medical information is worth 10 times more than your credit card number on the black market.
Typically referred to as “ransomware”, this is digital extortion. A type of malicious software (“malware”) is used to block access to the victim's files or applications and makes them useless. The victim must pay a ransom to gain access or recover the files. This can be a targeted attack or a random attack put out into the wild done by individual hackers or organized crime. This week's Petya is the latest in an alarming rise in ransomware attacks.
Fun fact: Global ransomware damage costs are predicted to exceed $5 billion in 2017. That's up from $325 million in 2015 — a 1,500% increase in two years, and expected to worsen.
These are attacks that are global in nature, wide-ranging and do not necessarily discriminate among governments, companies or individuals. The goal is to disrupt, sometimes just to show that you can. Taking down a website or even discovering and exploiting new vulnerabilities is practically sport for hackers and it earns serious bragging rights.
Fun fact: The October 2016 Mirai cyberattack against Domain Name System (DNS) provider Dyn (now owned by Oracle) took down high-profile sites ranging from Pinterest and Twitter to Netflix and Walgreens. It was one of the largest DDoS attacks ever. Mirai malware infected devices to form a robot network or "botnet" and coordinated the bombarding of servers with Internet traffic until the website collapsed under the strain. Mirai was the first botnet made up of "Internet of Things" (IoT) devices such as DVRs, webcams and other connected devices. So yes, your DVR might be working for the enemy.
Whether it’s protesting a belief, a cause, or an individual, these are the “hacktivists” that are making a statement. It can be political in nature or values-driven, ranging from organizations to individual hackers making their voice heard.
Fun fact: While WikiLeaks dominated the headlines throughout the 2016 election cycle, Anonymous is perhaps the most active and prominent group over the past decade. Anonymous rose to prominence in 2008 when they unleashed a massive DDoS attack against the Church of Scientology.
What used to be something you'd see in the movies is now real-life. Whether it’s government espionage or cyber warfare, politically motivated attacks range from spying to stealing intelligence, to sabotaging plots to actual warfare.
Fun fact: Discovered in 2010, the Stuxnet computer worm was responsible for causing serious damage to Iran's nuclear program, ruining approximately one-fifth of their nuclear centrifuges.
The scariest of them all. From rogue hackers to terrorist organizations, this is where the connected world gets truly dangerous. In 2017, there are more machines behind IP addresses than humans. As IoT becomes pervasive, the threat of taking out mission-critical infrastructure like power grids to telecommunications networks is increasingly real. This can affect anything and everything from connected cars to hospitals to airplanes.
Fun fact: This May, 16 hospitals across the United Kingdom were unable to access basic medical records due to the WannaCry ransomware attack. Just imagine if instead of ransoming for data, the cyber attackers threated to shut down the hospital's power.