By Michael J. McDermott
President Joe Biden's midsummer announcement of an impending conference with the nation's business leaders to discuss ways to combat the dramatic surge in cybercrime — especially ransomware attacks — stuck an exclamation point on something that's become increasingly clear. The private sector is an important part of this fight, and the onus is growing on marketers to figure out what their role should be.
Their precise role is going to vary depending on the company, according to Ari Schwartz, managing director of cybersecurity services at the law firm and ANA member Venable LLP. A major factor? The relationship between the CMO and other members of the C-suite.
"Those relationships are all over the map," Schwartz says. "A CMO who reports directly to the CEO or functions as the CEO's right-hand person will have a much different role to play than one who is only nominally engaged with the CEO and the board of directors."
Regardless of the nature of that relationship, CMOs first have to make sure they have a seat at the table when cyber issues are discussed.
Schwartz, who was a member of the White House Security Council, where he served as a special assistant to President Obama and senior director for cybersecurity, prior to joining Venable, adds that during the past two decades — as cyber threats have soared — brand managers often have not had visibility into the security programs that are designed to protect the company. "That makes it difficult when they find themselves in a situation where they have to defend the brand's name following an attack," he says.
Protect Brand Reputation
Amid the wide array of responsibilities foisted on marketers in the past several years, preventing a cyber breach is at the top of the list, as companies can ill afford to have their precious data exposed to bad actors.
The situation is getting increasingly acute. The vast majority (93 percent) of organizations that suffered a compromise of data during the past 12 months, and most security leaders (82 percent) believe their organizations remain vulnerable to a cyberattack, according to a recent survey released by Kroll, Red Canary, and VMware.
The survey, which took the pulse of 500 security and risk executives at large organizations, also found that more than two-thirds of respondents (64 percent) are concerned about the damage to the company's reputation caused by a cyberattack.
"A business that falls victim to cybercrime looks mismanaged and vulnerable," says Jessica Zhao, CMO at Spacewhite, which makes earth-friendly household cleaning products. "It becomes a huge task to gain back that consumer trust — especially if customer data has been leaked in the breach."
CMOs and other senior marketers must understand the scope of cybercrime's threat and be proponents for consistently updating their companies' online defenses. Among the countermeasures Zhao champions are solutions that encrypt and store passwords, two-party authentication, anti-malware programs, and endpoint security solutions.
Employee education is also key. "While technology can be working hard to keep a company safe, your employees also need to be educated," Zhao says. "They can sometimes catch things that the software can't."
At Spacewhite, employees regularly attend workshops to learn about online security and how to spot anomalies in their computers that might indicate a cyberattack in progress.
Nearly every company is data-driven and subject to "an exploding alphabet soup of data-related laws and regulations that require compliance from the boardroom to the C-suite to the rank-and-file," says Brian Gallagher, president and co-founder of ProtectedBy.AI, which develops cybersecurity software powered by artificial intelligence.
"Big brands have become aware of the need for a top-to-bottom approach," Gallagher says. "They have ramped up their efforts by allocating more funding and proper oversight channels that flow back to the organization's leadership. Big brands understand that there is not a single solution available to combat all cybercrime and ransomware concerns. Organizations must take a multilayer approach to protect their resources."
CMOs have important roles to play in such a multilayer approach, starting with oversight of the marketing and advertising supply chain. They also have an obligation to make sure that appropriate security measures for their own systems — as well as the apps and platforms of partners who have permissions to access the marketer's systems — are in place.
"Supply chains are attractive targets for ransomware attacks," Schwartz says. "Operational systems are much harder for hackers to break into, but they can still shut down a business just by hitting production and office systems."
Brands are particularly vulnerable to such attacks because hackers see them as high-value targets.
"They're not just locking up your systems, they're holding your data hostage, too," Schwartz says. Since companies are required to protect consumer data, hackers often demand — and get — higher ransom payments. CMOs must work closely with their organizations' IT and security teams to stay abreast of emerging threats and ways to prevent them.
"Marketing can serve as a conduit between the security apparatus and the rest of the organization, including the board, the CEO, and the general counsel," Schwartz says.
Marketing can play the same role externally, communicating to partners and customers what their organizations are doing to protect security. "The CMO can step in and explain the steps being taken to protect the supply chain in an easily digestible, 'plain English' format," he says.
Bespoke Solutions Are Required
Because cybersecurity concerns vary so widely across industries, there is no one-size-fits-all list of best practices for marketing organizations. However, for general advice, the National Institute of Standards and Technology (NIST) Cybersecurity Framework provides general guidelines on ransomware protection and response.
One of the most effective ways to determine the specific role(s) marketers should play within their organization is through tabletop exercises, which simulate real-life situations such as data breaches and ransomware attacks, Schwartz advises.
"Marketing leaders should make sure their companies are doing tabletop exercises and that marketing is included in them," he says. Having leadership engaged in thinking about threats before they happen can help identify security issues in the marketing supply chain that might not be apparent to the security team.
Organizations with a poor security culture are at much higher risk of employees sharing their credentials, according to the 2021 KnowBe4 Security Culture Report. The report estimates that the risk could be as much as 52 times higher. If there's a silver lining is this cloud, it's that the enormity of the threat has triggered heightened levels of awareness.
The report, which surveyed more than 320,000 employees working at over 2,000 organizations, found that 94 percent of the 1,161 security leaders included in the survey believe that security culture is critical. But make no mistake, the scope of the threat gets "worse every day" and requires constant vigilance and corrections to marketers' security postures, according to Gallagher.
"The bad guys are beating down virtual doors," he says. "Given the inherent limitations of historical man-centered approaches, it is no wonder why companies now take an average of 197 days just to notice a data breach. Compare this to the rate of cyberattacks — which occur roughly every 40 seconds — and we begin to appreciate the need for constant vigilance."