Hackers are smart people. They know that the fastest way into a target is to find the weakest point of entry. All too often, they find that access point through the marketing organization, which many hackers consider a "soft target." The main reason is fairly simple: Marketers are typically more public and visible — and therefore more exposed — than the rest of the company.
Most recently, I've been in charge of corporate communications for MobileIron, a leader in passwordless authentication and device security. I've seen firsthand how susceptible marketing departments can be to cyberattacks.
For instance, information about company leaders, events and new product launches is readily available through the company website and social media posts on LinkedIn and Twitter. Hackers can collect this information and use it to spin a social engineering attack within the marketing organization, with the goal of getting a marketing employee to accidentally give up their username and password to a critical system. When an attacker manages to steal the credentials of that first employee, they can penetrate the rest of the organization from there. Consider the July 15 Twitter attack that started with a well-researched spear phishing phone call to a low-level employee and ultimately led to the takeover of several high-profile global accounts.
Unfortunately, marketing employees may be more vulnerable to security threats than other enterprise workers. This is because, as marketers and brand ambassadors, they are more likely to share their contact information and personal data that hackers can leverage in a spear phishing attack. In addition, marketing departments often work with third-party vendors, such as ad agencies, event planners and individual contractors. Communication between company employees and third parties represents one of the biggest security risks within marketing because IT typically lacks visibility into how data is shared outside of the organization. For example, marketers may send campaign materials to a web designer's Gmail address or share a Google Doc with an outside agency — without any kind of security protocol in place.
QR Codes: How Old Tech Is Driving New Innovation In A Touchless World
13 Communications Aspects Professionals Should Be Careful About
14 Regular Tasks Communication Newbies Are Unprepared For
If protecting marketing communications wasn't already tough, the pandemic era has further complicated how teams collaborate when so many people now work remotely. In an earlier phase of the pandemic, a Gartner survey found that 88% of organizations either mandated or encouraged employees to work from home, and companies canceled nearly 97% of business-related travel. With the pandemic persisting around the world, it's clear that companies — and marketing organizations in particular — will continue to support some amount of remote work for the foreseeable future (and use the necessary tools to support it).
Like others working remotely, marketers have also resorted to creating ad hoc home offices that rely on a mix of personal devices and home Wi-Fi to get work done. This infrastructure is not nearly as secure as corporate-owned devices and IT-protected networks. In addition, employees on the go may improvise other ways of working, such as sharing laptops, hard drives and internet access with other family members. While understandable in the current environment, all of these behaviors create security gaps that hackers could exploit sooner or later.
Without the typical perimeter defenses of an enterprise network, hackers can more easily infect home-office-based machines with malware, and that malware can move freely to the other devices on the home network, because there's no security in place to segment machines, scan for malicious behavior or stop nefarious activity. Something as innocuous as a design file or invoice may actually contain malware that infects the employee's computer once it's been downloaded and opened. From there, the exploit's next step may be anyone's guess.
But given the vast amounts of customer data stored in platforms like Salesforce and Marketo, it's critical that marketing organizations from the CMO down must know how to protect access to this information. It only takes one well-executed data breach to erode everything marketing has done to build brand reputation, customer trust, market valuation and investor relations.
How Marketing Can Avoid Becoming A Cybersecurity Target
First, everyone inside the marketing organization must recognize the importance of working closely with IT to keep data safe wherever it resides or travels — whether it's on a personal laptop or public Wi-Fi network. Security is everyone's job, especially when the workforce is no longer in the office.
Second, user education is critical. Although employees can't be expected to be a company's first line of defense against cyberthreats, everyone can learn how to spot a malicious link or respond to a phone scam. With so many employees working remotely across the "Everywhere Enterprise," security education can offer a highly cost-effective way to increase vigilance wherever people work.
Third, marketing and IT must be aligned on security measures for sharing data with third parties. While agencies and contractors often sign NDAs, this does not go nearly far enough to secure actual data that's transmitted outside of the company.
Perhaps most important of all — since we know that home-office networks aren't going to be secured with enterprise-grade defenses any time soon — employees must stop sharing passwords, and organizations must also switch from password-based authentication to two-factor authentication or multi-factor authentication. Passwords represent the biggest security vulnerability in organizations today, and it's time to modernize how employees access apps and data. We know that multifactor authentication could have prevented some of the biggest hacking schemes to date, and it's an incredibly simple security step that all marketing organizations can take today. Eliminating passwords not only improves security, but it also improves productivity because employees don't have to remember, update and type in complex passwords multiple times per day.
Although it seems like cyberthreats are becoming more persistent and sophisticated in the age of Covid-19 (because, sadly, they actually are), it's encouraging to know that there are simple steps every worker and organization can take to better protect their data — and avoid becoming the next headline.
Find out how you can get a complete end-to-end mobile threat protection