What every Brand and Marketing Manager Needs to Know about Cybersecurity
Your company has invested thousands of hours and millions of dollars to connect with your customer base and engage your employees to build your brand, but how much time and effort was invested in protecting that brand from cybersecurity threats and breaches?
For most, the likely answer ranges from little to none. The question is, Why?
Brand stewards simply aren’t trained to understand how and where their brands can be compromised, let alone what strategies should be implemented to prevent cyber threats in the first place. Most inadvertently think this is up to IT to handle and /or that their cybersecurity focus starts and ends with privacy issues, but that isn’t enough. Everyone in your organization has a role to play to keep your company safe, including the marketing and sales departments.
Parabellyx Cybersecurity knows that education and training are required for brand stewards to be better prepared against cybersecurity threats. The key is to understand where your brand is most likely to be breached. Our team starts this process with penetration testing, a process where we simulate a cyber-attack to assess vulnerabilities and weaknesses.
Our goal is to see what we can do to compromise your systems or to access data. Companies are always surprised with how often data or security weaknesses can be found using the most low-tech methods. Cyber-criminals like to go down the path of least resistance, which is why many don’t waste their time trying to get information from a computer if there is an easier way.
Let’s start with corporate videos or ads. Imagine a Brand Manager for a major bank who has hired a firm to shoot their CEO walking through the customer service department of head office as they discuss the many ways the bank can make their customers’ dreams and financial goals come true.
Now, this brand manager has done their due diligence to prepare for this video from a pre-production perspective, but have they also considered any cybersecurity issues? For instance, has there been an evaluation relating to the video in the following areas:
- What paperwork is visible on the desks?
- What applications are open on computer screens?
- Is any customer information visible anywhere that will be recorded?
- What material relating to processes or projects is posted on the walls?
- What printer system are they using?
- Are any specific network or security devices visible?
- What brands of devices does the office use?
- Are any apps being used on cell phones visible?
These are essential questions because someone, somewhere, is sitting in a bedroom with the sound off who is zooming into the video to discover information and details that they can take advantage of in some way. Each piece of information may uncover an opportunity to break into an operational environment of the bank, to find a weakness where malware can be placed, or even to uncover strategic information about the business that a cybercriminal can use to their advantage.
This extends to simple executions such as Google Earth images. While external photos of your physical buildings are public, many companies are now extending the view to show high-definition interior images as well. Desks, paperwork, computer screens are all just a zoom away from allowing a bad actor to discover potential access points into your systems.
Surprisingly, many security details are willingly volunteered. RFP’s and job descriptions are a wealth of information for bad actors and one of the first places that Parabellyx looks at when conducting penetration testing. Why? They answer many questions openly. What software does the company use? What are the technology stacks for their operations? Where are they experiencing issues that they want a vendor/ employee to help solve? What level of experience does their team have within the company. All of these pieces of information create a roadmap for Cyber-criminals to use against the company.
Naturally, corporate websites are one of the most common ways a company can be breached. You may have the most excellent web developers in the world, but a bad actor can easily compromise a site by placing a couple of malicious JavaScript lines on the website without anyone knowing. Typically, this code won’t work immediately but will only be engaged when the cybercriminal enables a trigger that can even originate in a completely different domain.
Keep in mind that your website isn’t an island. You also need to be aware of all third-party systems with access to your website, including tracking systems that provide site and customer data or advertising distribution systems used for remarketing and marketing efforts. Verify their security stance and adequately understand how and where they access, use and potentially store critical data before connecting them to your own website. Even the largest marketing services get compromised, so once you integrate a system, be sure to keep them updated regularly with patches and software updates.
Lastly, be aware that infiltrations can often occur from your corporate partners and/or supply chain. Bad actors will evaluate your entire supply chain and related partners to determine their security preparedness. If they can find a company that can be breached, they can use the lower level of security in one to get into the other. This often occurs where a partner has access to data that you couldn’t get from the main company, but you can steal it from the partner company that you entrusted with access to that data.
Sometimes, damage to the brand occurs, even if steps are taken to secure all of your company systems, applications and websites. Cybercriminals may choose to target your customers in a fraud campaign, impersonating your company and using your branding, including logos, fonts and other materials. This is why it is essential to track the re-use and abuse of your branding images, such as logos and banners on the internet and educate your customers to “trust, but verify” any communications from your company.
Cybercriminals are resourceful, and they look for anything that they can find to provide details about your business, technologies, employees, processes and procedures. Once found, they can use that information against your brand to commit fraud, distribute malware or steal your data.
You may not lead cybersecurity for your company, but you can help to make sure that you are protected.
- Engage in a self-assessment and understand what systems you touch as a brand steward and how is data, especially consumer data, being used.
- Assess any potentially sensitive information that can be disclosed visually or otherwise through branding and marketing efforts.
- Use free services where you can take a look at domain reputation to see if you on any blacklists for reasons that may include sending unsolicited emails or there is something wrong with your email server configuration.
- Be aware of phishing attempts from Cybercriminals who are using your brand to trick your customers.
- Ensure strong security hygiene around third-party systems. Surprisingly many systems maintain access for months or years after a program has ended.
- Confirm that you are maintaining strong password control, even using secure password managers that use second-factor authentication.
- Add security checklists to any marketing efforts, RFP’s and job descriptions to remove any data that shouldn’t be known publicly.
- Take some introductory cybersecurity courses to better understand the landscape.
Overall, understand that everyone plays a part in keeping your brand safe. Being aware of your role and working with your IT and cybersecurity teams proactively is the best first step you can take.