Knowing that more sophisticated enterprise security is forthcoming, attackers have begun to evolve their strategies and techniques to exploit the most vulnerable partners of their primary targets. Today, communications and marketing agencies epitomize such a vulnerable partner, directly or indirectly helping attackers access the lucrative data they seek.
You’re on tight deadlines, turnover is near constant, and your clients’ confidential data and information is being accessed by multiple team members, across multiple offices, and by multiple devices. Though this fast-paced workplace culture demands this kind of structure to execute projects successfully, it doesn’t mean you need not be cautious.
As a decision-maker working in an agency – whether that be for a public relations, advertising, digital or marketing firm – when is the last time your company truly thought about the security of your network, devices, and data? If the answer to this question is not “yesterday†or “today,†then your agency and the client data it is entrusted with, is surely at risk.
Agencies: The New Target for Cybercriminals
As cybercriminals work to find new ways to attack their primary targets successfully, they are increasingly looking at third-party partners to compromise. This includes companies within an organizations’ supply chain, professional service firms and creative and communications agencies. Most of the time, agencies do not have the time, money, or resources to make significant cybersecurity investments.
Today, adversaries are most interested in agencies to simplify data theft. Specifically, attackers now seek to exploit agencies as a means to obtain a treasure trove of client data and confidential information that they can then use to expose, delete, sell, share, or hold for ransom. From sensitive marketing materials and competitive intelligence to stakeholder information, intellectual property, banking information and more, agencies often have as much access to client data as their clients themselves, with almost none of the security in place.
A Win-Win for Attackers
WPP was recently attacked by the NotPetya ransomware attack, which left its staff unable to access their systems and networks for days. The attack cost more than $19 million to remediate, an amount that would have put most other agencies out of business for good. But it’s not just the largest firms that should be concerned; it’s all of the 120,000 communications and creative agencies in the U.S. and the thousands of others across the globe that must recognize their increased risk.
Agencies are More Insecure Than They Realize
Even agencies that have put some emphasis on security are at higher risk than they might comprehend. For starters, many agencies rely heavily on bring-your-own-device (BOYD) and remote worker policies that present many opportunities for attackers to initiate attacks.
With such policies, for example, employees are known to miss critical software updates on their devices regularly, leaving numerous vulnerabilities without a patch. They are also likely to inadvertently connect to insecure or spoofed Wi-Fi networks while working out of the office or traveling, unintentionally giving attackers access to login credentials, data, and devices.
Besides, the vast majority of agencies invest in cloud apps, such as Office365, G-Suite, Slack, and Dropbox to promote efficient and productive independent work, teamwork and agency-wide collaboration. Though great for convenience, these cloud apps are some of the most vulnerable and frequently targeted software products in the world; represent prime vectors for adversaries to initiate data breaches with minimal effort.
The Solution
Clients expect their agencies to work quickly, professionally, and securely. If your agency is the cause of a clients’ data breach or leak, you will almost certainly lose that account, and you’re also likely to lose others in your portfolio. On the new business front, an agency with a reputation for lax security, or one that has recently been breached, will certainly have a hard time gaining the trust of prospective clients.
So, what should be done to protect your company from a cyberattack? Here are seven cost-effective safeguards to implement in 2019:
- Conduct a risk assessment to determine where the company’s most significant vulnerabilities lie.
- Purchase cyber insurance so your agency can be more cyber resilient when an attack strikes.
- Invest in an annual security awareness training session. This will enforce technology policies and help educate employees on emerging attack trends.
- Set up advanced password protection so unauthorized users can’t easily compromise the integrity and confidentiality of your client’s data via password theft or leaks.
- Secure your inbox because more than 90 percent of attacks begin with a malicious email.
- Secure your cloud apps from a data breach because attackers now target the most popular SaaS applications daily.
- Create an incident response plan, so all employees, clients, stakeholders, etc. know how to react and respond during and after a breach.
New technologies are beginning to democratize cybersecurity, making it possible for small and mid-sized agencies to secure their networks, devices, and the cloud apps easier, more efficiently and at a lower price point. And it wouldn’t be unreasonable to pass some of the security costs along to your clients. For an industry built on creativity, it’s time to put that ingenuity to work to protect the integrity of your agency proactively, and in doing so, defending the confidentiality of your clients’ data.