If you were going to try and hack your own organization, which part of it would you target? The IT and Cybersecurity Teams would seem like the obvious choice, since they control all of the critical systems your organization relies on.
The problem is that they are also acutely aware of the vulnerabilities inherent in these systems, and are likely to spot malicious or suspicious activity pretty quick.
So it makes sense to go for a ‘softer’ target. A team that is using plenty of poorly secured, vulnerable systems. A team that doesn’t know what an attack looks like. Perhaps the marketing team.
Marketing teams are a favorite target of hackers for a few reasons. They are typically in charge of some of the most public systems that an organization uses: websites, social media accounts, and email marketing suites. In addition, they often don’t know much about the most common WordPress security threats, or the ways to defend their site from hackers.
In this article, we’ll take a deeper look at why marketing teams are so at risk from hacking, and what they can do about it.
Why Marketing Teams Are A Good Target For Hackers
Marketing teams hold some of the most critical information that a business collects, but they are often unaware of this. For managers who are unfamiliar with the cybersecurity sector, it can be tempting to think that the most valuable data your business holds is intellectual property, budgetary information, and other commercially sensitive data.
In reality, some of the most valuable data to hackers is the personal information you hold on your customers. If this data is stolen, it can be used to launch further targeted attacks on your customers, steal their assets, or even steal their identity. And who holds this information? The marketing team.
In addition, marketing teams generally have a much larger ‘surface area’ for attack than other teams. This is a technical way of saying that they oversee far more publicly-visible systems than other teams, and so present more opportunities for infiltration.
A good example of this is that many of the most common forms of cyberattack are launched directly against company’s websites, which are typically designed and run by the marketing team. Without cybersecurity expertise, they can be unaware that many popular website builders can be a source of vulnerability.
Going further, the rise of Software as a Service (SaaS) means that marketing teams are now typically using multiple, outsourced software solutions: the problem is, as research firm BlueTree.ai points out, that “when outsourcing server space and other infrastructural needs you are also outsourcing security”.
The second reason that marketing teams are such a huge source of vulnerability is linked to a basic feature of their role. They are responsible for dealing directly with customers, potential customers, and other companies. Marketers are taught to quickly establish trusting relationships with multiple stakeholders, but this willingness to engage and trust third parties is, in itself, dangerous.
In recent years, there has been a huge increase in the number of sophisticated ‘spearphishing’ attacks, which specifically target individuals within an organization and aim to gain their trust. That’s exactly what marketing teams are taught to do, and exactly what makes them so vulnerable.
One of the primary functions of marketing teams is to establish trust with potential customers, but you should be aware that this is exactly what spearphishing attacks rely on. Often, an attacker will ‘get to know’ a member of the marketing team in order to gain valuable information about a company that can then be used to launch highly targeted attacks.
What To Do About It
At the very broadest level, marketing teams need to be given training on how to keep the data and systems they use safe, and they also need to be integrated into a company-wide security culture. We’ll discuss that below.
At a more basic level, however, there are some basic steps that marketing teams can take to make themselves less vulnerable to cyberattack. These can be split into two types of preparation: those that occur at a technical level, and those that relate to managerial structures and risk assessment.
At a technical level, marketing teams should know what a cyberattack looks like, and know how to spot suspicious activity. They should also, as should we all, keep all the systems they use up to date. This is true for all members of a company, of course, but there are some specific areas that marketing teams should pay attention to:
- First, the marketing team generally forms the ‘bridge’ between the public and other teams within an organization, and commonly share personally-identifiable data with other teams. Because of this, it is critical that marketing teams secure their internal communications as well as those with outside parties.
- Second, because marketing teams oversee social media outreach, their systems are particularly vulnerable to malware infection. They should be aware, therefore, of the dangers of smartphones when it comes to cybersecurity, and implement ‘quarantine’ procedures that separate (sometimes physically) marketing systems from internal corporate networks.
In addition to these technical steps, the managers of marketing teams need to be aware that there are particular periods of the business cycle in which they are more vulnerable, and in which security should be taken even more seriously:
- One of these is when working with outside vendors, particularly if you need to exchange personal information with them. It is not good enough to simply assume that the other companies you work with have in place good security measures: if they are the victim of a data breach, you will get blamed. Because of this, you should do a thorough audit of the security practices of every third party company you work with.
- Second, whenever marketing teams roll out a new piece of marketing software, this should be done in close collaboration with IT departments. If you do not do this, you risk your new system introducing vulnerabilities into existing networks.
- You should also recognize that mergers and acquisitions are a critical time for cybersecurity. Each time you are required to integrate your systems with an incoming new marketing team, you should take the opportunity to complete a thorough assessment of the systems you are using.
Last, but definitely not least, all members of the marketing team should feel that they have a personal stake in the security of the organization.
Creating A Culture Of Security
Ten years ago, corporate culture was quite different from today. Generally, each team had a well-defined role in their company, and their skills and experience were siloed from company-wide issues. Today, that has changed, at least in market-leading companies. The idea of the CMO and CISO teaming up is now heard quite frequently, and this kind of integrated working can bring huge operational benefits to companies.
Creating a corporate culture in which all teams, not just the IT team, take security seriously is now a major challenge. Critical to achieving such a culture is that marketers are proactive in identifying and mitigating security risks. These processes should be visible in every campaign that marketing teams undertake, because it only takes one vulnerability to cause a catastrophic hack.
“Marketers can resign themselves to being targets or risk factors, or they can become champions of the CISO’s office,” suggests Juliette Rizkallah, CMO at SailPoint, in the Forbes article The Role of Marketing In Cybersecurity. “Creating a culture of cybersecurity in an organization requires the talent of a marketing department that, campaign after campaign, will reiterate the importance of security training, good password hygiene, physical security enforcement, social engineering awareness and so on.”
At the heart of successful corporate security culture is the realization that security is a cross-cutting process that concerns all parts of an organization. A common source of frustration for marketing teams is that other teams (and particularly the IT team) don’t take their marketing responsibilities seriously by engaging with customers in respectful, helpful ways. But this criticism cuts both ways: IT teams often express the parallel complaint that marketers don’t pay any attention to cybersecurity.
The Bottom Line
Ultimately, marketing teams should realize that poor cybersecurity has (or will have) a direct impact on their role. If your company falls victim to a major data breach, it will not be the IT team that is blamed for it. Rather, your company’s brand as a whole will be tarnished, and marketing teams will have to spend a whole lot of time and resources to clear up the mess.
For this reason, it makes sense to integrate security training and tools into the everyday operations of a marketing team. In many cases, even taking some very small steps to secure your team against hacking will be enough to dissuade an attacker, because if you can make your marketing team even slightly harder to hack than those of your competitors, this is often enough for an attacker to move on to a softer target.
And trust me: your IT team will thank you as well!
Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphases on technology trends in cyberwarfare, cyberdefense, and cryptography.