Craig McDonald 13 June 2019 11:11:44 AEST 9 MIN READ

CISOs - how closely are you working with your marketing teams?

I’ve always found marketing to be one of the most interesting business functions. Why? Because it’s one of those fields that holds the power to impact mindsets, attitudes, and ultimately influence action.  

With consumers becoming increasingly tech savvy, marketing too, just like any other business function is evolving, leveraging new technologies, tools, and data. These teams are taking advantage of a growing number of marketing mediums, learning new techniques and tracking their impact. 

This means your marketing team is increasingly a technology team. They also have a great deal of ownership and permissions over some pretty critical company data. 

Hello, target for cybercriminals. 

As an Infosec professional, it goes without saying that there’s a strong need for CISOs and CMOs to work together to address how marketing systems and processes are more cyber secure. 

But the benefits of a partnership between the CMO and CISO doesn’t just stop in the latter being a protective agent for the former.  

Lately, I’ve also been thinking about the evolving role of marketing in being a cybersecurity champion within companies. If marketing campaigns help to influence attitudes of a company’s consumers or customers, they can also help in influencing organisational culture - ultimately boosting the cyber defences of a company.  

The benefits of such a symbiotic relationship between the CMO and CISO may already be well-known, but with cybercrime evolving at an unprecedented rate worldwide, it’s never a bad idea to call for greater cross-functional collaboration between the two.  

Let’s explore what this collaboration looks like in greater detail.   

How marketing departments pose a big cybersecurity risk 

Which tools is your marketing team working with to get their job done? Salesforce, Mailchimp, FollowPlanner, ManyChat, Google Analytics, DocuSign, SurveyMonkey, WeTransfer, Asana…  

According to Netskope’s 2018 Cloud Report, enterprise marketing departments use, on average, a staggering 121 cloud apps. 121! 

The more tools and contacts that your marketing team utilise, the more weak spots you have in your systems for cyber threats. Each and every entry point to your company, whether it be through an app, service, provider, or contact, is an opportunity for a cybercriminal or malicious actor.  

In fact, it’s unfortunately well known that cybercriminals have a better strike rate than most marketers themselves in understanding their target audience and influencing the actions of their ‘victims’ (or target market).  

Here are some examples of the types of cyber-attacks typically impacting marketing departments: 

  1. Spear-phishing are targeted attacks, often delivered via email, that purport to be from a known contact, vendor, or service provider - such as Mailchimp, SurveyMonkey, Microsoft, HubSpot, etc. They can be used for defrauding your company, holding systems to ransom, or stealing your intellectual property. When a sophisticated attack is deployed, it appears to be “from” someone that you already do business with. If one of your team fall prey, your critical assets and business data can be exposed to malicious actors. In 2018, there were over $1.2billion in losses associated with Business Email Compromise worldwide according to the FBI’s 2018 Internet Crime Report. And that’s just what was reported. 
    2. When cybercriminals spoof your company’s brand, alarm bells start ringing for CMOs  as this            can diminish consumer confidence in your brand, or damage customer perceptions. We call              this brandjacking


        Brandjacking can come in many forms: 

  • A spoof site that mimics your own, in an attempt to steal customer credentials or deliver malware to your customers’ systems, often linked to from emails, like our recent ANZ coverage 
  • A fake Twitter account putting out incorrect company news 
  • Fake Facebook pages, even messaging customers 
  • Phone calls pretending to be from your company, to gain access to customer accounts or systems 

CISOs, are your marketing team equipped well enough to deal with such a variety of threats? 

How can CISOs and CMOs work together to mitigate the threat of such attacks? 
 
Making the CISO a key contributor in any active marketing strategy is a great start as he/she will be able to articulate the importance of the following:  

  1. An effective cybersecurity tech stack tailored to the department 

CISOs can strategise with CMOs to develop a cybersecurity tech stack that fits the marketing department. This will include things like an advanced email protection service such as MailGuard, and fortifying app/tool security, such as utilizing the AccessNow Salesforce app. 

  1. Educating the team

It’s no longer enough to give your entire team a cybersecurity briefing at once. You need to tailor your education efforts to each specific department. 

For marketing, this means speaking in terms that are relevant to them, about their specific workflows and tools, and reinforcing educational efforts.  

The CMO needs to explain the intricacies of the marketing department to your CISO, so together they can come up with an effective education curriculum. With the changing cybersecurity landscape, education needs to be ongoing - not simply an onboarding or every-6-months activity. 

The marketing team should be critically aware of the sensitivity of the assets and data that they are entrusted with, and it is vital that they appreciate the value of those assets in the eyes of a cybercriminal.  

  1. Purchase similar domains and company name sites 

(e.g. yourbrand.net, yurbrand.com, urbrand.com, yourbrand.com.au, yourbrand.org etc.) 

By purchasing similar domains and spellings, it makes it trickier for others to create a spoofed website with a real-looking address. It also means that email addresses can’t be registered under these similar domains. CISOs and their teams can do this task as a matter of routine. 

  1. Have crisis management plans in place

The faster you are at identifying a brandjacking attempt, the quicker you can put your crisis management plan into action. 

CMOs can develop appropriate PR & communications strategies to put into plan in a crisis event and CISOs can ensure timely delivery of the messages. 

This means customer notifications across all your marketing channels; email, socials, SMS, your website, and even via telephone if critical. You’ll need to have a customer support team that you can deploy in the event of an incident - or reallocate human-resources from other departments (making sure they’re trained in advance to deal with this function). A ready to go message from the CEO that can be tweaked for the incident at hand makes company response that much faster. 

If you’d like to learn about cyberthreats specific to other company functions I suggest you take a look at my in-depth take on both HR and CEOs as further reading. 

Marketing as a cybersecurity champion 

Here’s another reason why CMOs and CISOs should be encouraged to work together - the talent and potential of effective marketing.  
 
Regular readers of my blog would know how I fiercely advocate the need for all functions in a company to be cyber resilient because cybersecurity is everyone’s responsibility. But marketing is particularly special in its ability to think about the brand risk, the business value /risk, and what/how customers/clients think. These are all key attributes for Infosec teams, especially in critical times such as a data breach. Think about it - if your company’s most valued assets are destroyed or manipulated, and your customers were impacted, won’t you appreciate someone who has the ability to execute an effective communications plan that would skillfully mitigate damage to your brand and help to calm irate customers down? 

IT teams can also leverage the influence of the marketing team on a day-to-day level - specifically, the fact that they often act as the ‘megaphones’ of a company, driving messages and influencing thinking on a regular basis. For example, if a marketing department were to reiterate internally, campaign after campaign, the importance of good password hygiene, how to spot email scams, or even why it’s important to have a multi-layered defence system in place, it’ll be easier for the CISO to encourage an organisational culture that is more cyber resilient. 

It’s often been established that the human factor is one of the biggest vulnerabilities in a company’s cyber defence system. With effective marketing holding the potential to influence such human behaviour and thinking, CISOs may be able to mitigate the threat of this vulnerability. And likewise, protecting marketing teams against cyber-attacks may further limit cybercriminals from infiltrating the company. 

How closely do CMOs and CISOs work together in your company to solidify their systems? Write to me below. 

 

 

Get the facts

Companies are spending more on cybersecurity now than ever before, but those funds aren't always targeting the most significant dangers. There seems to be a bit of a disconnect amongst many CEOs about the sources of cyber-threat.

Studies consistently show that more than 90% of cyber-attacks are perpetrated via email, yet email security is rarely the biggest item in cybersecurity budgets.  If we’re going to win the battle against cybercrime we have to get real about the nature of the threat.

I’m on a mission to help business people understand cybercrime and protect their businesses from costly attacks. If you would like to learn more about the complex cybersecurity challenges facing business today, please download my e-book Surviving the Rise of Cybercrime. It’s a plain English, non-technical guide, explaining the most common threats and providing essential advice on managing risk.

src-banner

You can download my e-book for free, here.

“Cybercrime is a serious and growing business risk. Building an effective cybersecurity culture within an organisation requires directors and executives to lead by example. Surviving the Rise of Cybercrime is a must-read for directors and executives across business and in government and provides strong foundations for leaders determined to address cyber risk.” - Rob Sloan, Cybersecurity Research Director, Wall Street Journal. 

... ... ...


Craig_McDonald
Hi, I’m Craig McDonald; MailGuard CEO and cybersecurity author.
Follow me on social media to keep up with the latest developments in cybersecurity; I'm active on LinkedIn and Twitter. 
I’d really value your input and comments so please join the conversation.