By Dror Liwer
As a decision-maker working in an agency – whether that be for a public relations, advertising, digital or marketing firm – when is the last time your company truly thought about the security of your network, devices and data? If this answer isn’t “yesterday” or “today,” then your agency, and the client data it is entrusted with, might be at risk.
Why Agencies Are Now a Target for Cybercriminals
As cybercriminals work to find new ways to successfully attack their primary targets, they are increasingly looking at third-party partners to compromise. This includes companies within an organizations’ supply chain, professional service firms and creative and communications agencies — like yours. Most of the time, these types of businesses do not have the time, money and resources to make significant investments in cybersecurity.
For agencies in particular, adversaries are most interested in using them to simplify data theft. Specifically, attackers now seek to exploit agencies as a means to obtain a treasure trove of client data and confidential information that they can then use to expose, delete, sell, share or hold for ransom. From sensitive marketing materials and competitive intelligence to stakeholder information, intellectual property, banking information and more, agencies often have about as much access to client data as their clients themselves, with almost none of the security in place.
A Win-Win for Attackers
Just last year, WPP (the world's largest advertising agency) was crippled by the infamous NotPetya ransomware attack, leaving staff at both its flagship and subsidiaries unable to access their systems and networks. In total, the attack cost the holding company more than $15 million to remediate, an amount that would have put most other agencies out of business for good. But it’s not just the largest firms that need to be concerned; it’s all of the 120,000 communications and creative agencies in the U.S. and the thousands of others across the globe that must recognize the increasing risk.
Agencies Are more Insecure than They Realize
Even agencies that have put some emphasis on security are at greater risk than they realize. For starters, most agencies today rely on bring-your-own-device (BOYD) and remote worker policies that present many opportunities for attackers to initiate attacks.
With such policies, for example, many employees can frequently overlook critical software updates on their devices, leaving important security updates missing. They may also inadvertently connect to insecure or spoofed Wi-Fi networks while working out of the office or traveling, giving attackers access to credentials, data and devices without the employee having any knowledge that this is happening.
In addition, the vast majority of agencies rely very heavily upon vulnerable cloud apps (Office365, G-Suite, Slack, Dropbox, etc.) to promote teamwork and for greater efficiency and productivity. Though great for convenience, these apps on their own are terrible for security, and represent prime vectors for adversaries to initiate data breaches with minimal effort.
What Agencies Can Do to Get Serious about Cybersecurity
Clients expect their agencies to work quickly, professionally and securely. If your agency is the cause of a clients’ data breach or leak, you will certainly lose the account, but you’re also likely to lose others in your company’s portfolio. On the new business front, an agency with a reputation for lax security, or one that has recently been breached, will certainly have a hard time gaining the trust of prospective clients.
This is why it is past time for agencies to take cybersecurity more seriously and to put some thought into how you are keeping your clients’ data secure. From providing security trainings for your staff, to implementing enforceable technology policies, and adding a line-item into budgets for technology adoption – these types of security improvements can make a big difference.
New technologies are beginning to democratize cybersecurity, making it possible for small and mid-sized agencies to secure their networks, devices and the cloud apps easier, more efficiently and at a lower price point than ever before. And it wouldn’t be unreasonable to pass some of the security costs along to your clients. In fact, many of them now demand that cyber insurance be purchased and some security guidelines are followed in order to sign or renew a contract.
For an industry built on creativity, it’s time to put that ingenuity to work to proactively protect the integrity of your agency, and in doing so, defend the confidentiality of your clients’ data. The future of your business is dependent upon it.
About Dror Liwer
Dror Liwer is the founder and CISO of Coronet, an award-winning cloud security company that helps mid-sized and small businesses protect cloud apps from unauthorized access, data theft and malware/ransomware for free.