Attention decision-makers at marcomm agencies – whether that’s a public relations, advertising, digital media or marketing firm – when is the last time your firm truly thought about network, device or data security? If this answer isn’t “yesterday” or “today,” then your agency, and the client data it is entrusted with, is likely at risk.
Today, the vast majority of most agency’s clients invest in cybersecurity (some more than others). However, because of budget, time and resource constraints, as well as the lack of any industry standards or regulations mandating compliance, most creative and communications agencies have not followed suit.
Such cybersecurity apathy has made agencies an attractive target for cyberattacks – whether they realize it or not. Why? It’s simple: agencies have access to a treasure trove of client data and proprietary information of which not just employees, but also attackers, can easily access via insecure networks, systems and devices. For savvy hackers, exploiting an unprotected agency as the means to gain unauthorized access or spread malware to their primary target (the agency clients) is not only significantly less-risky, but doing so is also less expensive and more time effective.
What’s at stake for agencies?
In today’s threat landscape, there’s a lot at stake for creative and communications agencies should they be hit by a cyberattack, including:
- Diminished business continuity: Just last year, WPP was crippled by the infamous NotPetya ransomware attack, leaving staff at both its flagship and subsidiaries unable to access their systems and networks, according to AdWeek and other media outlets. In total, the attack cost the holding company more than $19 million and many of its subsidiaries were shut down for days. This incident has broad implications for smaller shops as well, since they rely on their agility and nimbleness to meet and exceed client demands. With that in mind, continuity means everything, and disrupting that with an attack could be catastrophic for agency-client relationships with the inability to get time-sensitive work done.
- Client/employee turnover: Both are already at record levels (average agency-client tenure has shrunk from 7 to less than 2 years) and a successful cyberattack would surely expedite departures, as it is unlikely that clients and employees would retain a relationship with an agency after their data was breached or identity compromised. In addition, employee turnover creates opportunities for departing workers to take data with them, either intentionally or inadvertently. Such data could then be leaked or sold, creating reputational, operational and financial risk to both the agency and the client.
- Reputational damage: From login credentials and cloud app passwords to customer databases, billing/routing numbers and more, agencies are the custodians of some incredibly sensitive strategic and brand information. In other words, agencies have access to what attackers want, with little to no security to protect these assets from internal and external threats. If an agency has weak or no security protocols and they’re the cause of a systemic breach or data leak ahead of a project launch or another initiative, then that would likely result in irreversible harm to the brands reputation, ultimately diminishing client relationships, new business prospects and employee morale. Ironic, the agencies often hired to build or change reputation would be forced to spend much of their time doing the same reputational management tasks internally, or risk going out of business for good.
- Cyber insurance premium spikes: Recently, a report by PwC estimated that the cyber insurance industry will grow to $5 billion in annual premiums by the end of 2018, and $7 billion by 2020. Those numbers are staggering, given how new the industry is. Moreover, since it’s such a new industry, there is inherent risk and volatility, and security breaches will impact insurance premiums not just for the company that suffered the breach, but across the entire industry. Most agencies that have the means to purchase cyber insurance do not have the financial leeway to incur massive spikes in premiums.
Unfortunately, any one of these consequences could ultimately lead an agency to shut its doors for good. So, what can creative and communications agencies, regardless of headcount and revenue, do to protect their company from cyberattack? Here are seven safeguards that agencies should implement in 2019:
- Conduct an agency risk assessment to determine where the company’s greatest vulnerabilities lie.
- Purchase cyber insurance so your organization can be more cyber resilient when an attack strikes.
- Implement a quarterly security awareness training session to enforce technology policies and to help educate employees on emerging attack trends.
- Set up advanced password protection so unauthorized users can’t easily compromise the integrity and confidentiality of your client’s data via password theft or leaks.
- Secure your inbox, because more than 90 percent of attacks begin with a malicious email.
- Create an incident response plan so all employees, clients, stakeholders etc. know how to react and what actions to take during and after a breach.
Last but not least, agencies should invest in data breach protection platforms, like Coronet. It’s extremely common for agencies to use cloud apps like Box, Dropbox, Office365 and Slack, yet despite some security built in, such tools are ripe with vulnerabilities. Coronet can monitor your agency’s cloud applications for data leaks, cyber-threats and regulatory violations that put your business at risk and remediate them without added costs or any disruption to agency continuity.