Marketing, communication and cybersecurity issues

There is a common misconception that marketing and communications departments are immune to cyber attacks. However, the reality is that these departments are prime targets for cyber-attackers, for the following reasons. Branders and communicators are by definition easy prey for cyber criminals: they are often less well trained, less aware, and more likely to let an attack go unnoticed. Secondly, they use numerous digital tools every day, which are all gateways to companies.

Indeed, marketing and communication departments are using more and more digital solutions and tools. These departments, like all the others, are digitising at high speed: customer files, prospecting files, website management, use of social media, sometimes with shared identifiers, etc. All these elements are weaknesses for the marketing and communication departments of companies.

However, this situation of vulnerability is far from being inevitable: marketing and communication can indeed be a target of choice for hackers, be a risk factor, but they can also become ambassadors and promoters of cybersecurity in their company.

Marketing and communication departments: prime targets for cyber attackers

The range of digital tools used by marketing and communication departments makes the company all the more vulnerable.

Here are the main tools that are gateways for cyber-attackers:

• Email. Indeed, email is by definition digital. And email marketing is today a particularly popular solution: for sending newsletters, as part of a marketing automation strategy, etc. But email is well known to be a method particularly used by cyber criminals to carry out their attacks: 90% of attacks are attributable to email. This is known as phishing. Cyber-attackers send emails pretending to be legitimate institutions and entice users to click on fraudulent links. In addition, marketing and communication departments handle a large amount of personal data, making them particularly vulnerable to "DPO scams" scams (see example 1 below). The marketing team is particularly vulnerable to this type of attack as they are usually the ones who interact with customers, or with cyber criminals who would like to pose as customers.

Image translation: "It would appear that the data processing carried out by your business does not meet the legal requirements of the GDPR. On pain of financial penalties of up to 20 million euros or 4% of annual worldwide turnover, you are invited to comply as soon as possible. For this purpose, we offer compliance services for a fee."

The example above illustrates a DPO scam: cyber-criminals try to pass themselves off as a legitimate institution (in this case the CNIL), and threaten significant financial penalties. The attackers play on fear and pressure, and encourage their interlocutor to react as quickly as possible.

Sending this email to the marketing department (which processes a large amount of personal data) makes sense. It is important to know that the CNIL does not offer any paid compliance services. Moreover, if your customers file a complaint with the CNIL, the latter will probably give you a period of time to prove your good faith and to comply: you should not generally be threatened with a sanction right away.

Image translation: "It looks like someone is trying to access your user account. If you are not the source of the access attempt, change your password by clicking on the link below."

The example above is a perfect illustration of phishing: an email is sent to the marketing department. The sender of the message wants to pretend to be the customer service department of an online tool (such as Canva for example) and encourages the recipient to click on a link to change the password associated with the account. If you are unsure about the security of your account, do not click on the link in the email to change the login details. Go to the site directly from your usual search engine and change your password. If the email turns out to be phishing, clicking on the link could land you on a landing page designed to make you think you are on the right site, enter your login details, which would then be immediately stolen by the attackers.

• The website. Today, every business, even those that do not sell directly online, has a website. WordPress in this case is one of the most widely targeted CMS platforms. Attackers exploit vulnerabilities in the platform, but also vulnerabilities in the most popular plug-ins. By using these vulnerabilities, attackers would be able to infiltrate your website, to permanently block your access, or to spy on your activities discreetly, without you being aware of it. Beyond these vulnerabilities, cyber criminals can carry out various attacks: DDoS attacks (your site is flooded with an immense amount of traffic that it cannot handle), SQL attacks (the attacker tries to access your site's databases), password attacks (the attacker tries all possible password combinations until they find the right one, and can then take over the website), etc. To learn more about SQL injection, you can read our blog post on the subject.

• Social networks. Social networks are also widely used by marketing and communication departments. The danger increases when teams and their different members access the same social network accounts and share passwords. Hijacking these social network accounts allows attackers to harvest personal and sometimes confidential information, to hijack accounts, and sometimes even to resort to defamation or disinformation.

• Social engineering. Marketers (more than communicators) also work with many external service providers such as suppliers, partners, subcontractors, etc., which often requires the exchange of sensitive data between these different departments. These exchanges are often carried out far from the supervision of the IT department, exposing the company to even more risks. Cyber-criminals could then impersonate these different parties and change the address or payment terms, for example. To learn more about social engineering techniques, you can read our blog post on the subject.

So given these multiple entry points, how can marketing and communications departments protect themselves from cyber threats?

How to protect the marketing/communication department from cyber-risks?

Marketing and communication departments are at the heart of the digital transformation of companies. It is therefore essential to ensure that these changes do not create additional risks for the company.

Here are some ways to secure marketing and communication departments and their use of digital tools.

1. Use strong passwords. As we know, passwords are a gateway that should not be neglected. The first rule is therefore to use strong passwords (a combination of 15 to 20 numbers, letters and special characters). This first rule makes it possible to limit possible attacks. Indeed, the quickest way for cyber-attackers to guess your passwords is the so-called "brute force attack". This refers to the action of a robot (a bot) which then tries thousands of password combinations per second. By adding characters, you make their job much more difficult. Indeed, to guess a password of 15 to 20 characters, which respects the criteria mentioned above, it will take the bot several thousand years to guess your password. The second rule is to use a unique password for each access. In fact, this technique makes it possible to limit the scope of a possible attack. Because despite all the good practices in the world, sometimes cyber-attackers still manage to get in. If you use unique, different passwords for each of your user accounts, you limit the scope of the attack to the affected account. Cyber criminals are well aware of the lack of awareness of the majority of Internet users: if one of your passwords is discovered, it will then be tested on all your online accounts. If you use only one password for all your online accesses, then in the event of a hack, all of them would be vulnerable, even though only one has been hacked. Another rule is that none of your passwords should be written down and visible to everyone: for security reasons, you should not write your password in a notebook on your desk or on a post-it note stuck to your screen, even if you are the only one to see it, and even if you particularly trust your colleagues. They might use your login details, share them, or use them with much less care than you (in the best case). Because we must not forget that internal malicious acts exist, and are much more common than we might imagine. TIPS But then how can you remember twenty (or maybe thirty for the most experienced) passwords that long, if you can't write them down anywhere? And how can you share them with colleagues (because yes, sometimes you need to) if you can't say them out loud, or even write them down? Many password vaults exist (e.g. Dashlane, Keeper Password Manager). They allow you to generate passwords automatically (no need to think for 10 days about which characters will make up your password), to save them, and to share them in a reliable and secure way.
   

2. Couple the use of strong passwords with two-factor authentication. This authentication technique is particularly used for "sensitive" connections, such as when you want to connect to your bank account, or to sites that may hold confidential information about you (CAF accounts, Ameli, etc.). This two-factor authentication is generally a password identification, coupled with a biometric identification (facial recognition or fingerprints). It can also be the sending of a confidential code on another of your registered trusted devices (code sent by sms for example). This double authentication is not necessarily offered on all online tools, and very often this function is not accessible by default: it is then necessary to activate it in the settings. This double authentication is particularly useful, as it ensures that the person entering the password is authorised to access the account in question. If one of your accounts is hacked and one of your passwords is discovered, dual-factor authentication would prevent the cyber-attacker from accessing your online account, even though they have the password.
   

3. Update your software regularly. As mentioned in this first part, attacks (on websites in particular) take advantage of vulnerabilities in CRMs, popular plug-ins, frequently used software, search browsers, etc. By updating your software, website, and plug-ins, you fix these vulnerabilities as they are discovered. Of course, hundreds of vulnerabilities are discovered every day, and an update does not provide 100% protection against attacks that may occur. But it is important to fix these vulnerabilities as they are discovered, before they are too widely exploited.
   

4. Encourage collaboration between the marketing, communication and IT departments. Indeed, most internal errors that lead to cyber incidents are due to manipulations carried out far from the supervision of the IT department. It is difficult for the latter to secure tools or practices of which it has no knowledge. The implementation and use of new digital tools must be done in close collaboration with the IT department, which will then be able to explain what flaws are brought about by the use of this tool, what elements must be taken into account, what attacks could then be perpetrated and how to recognise them, and what reaction to adopt in the event of an incident. Marketing and communication teams often see the IT department as an element that can slow down their progress and efficiency. But marketing and communication departments, like many professions today, are rapidly going digital. This digitalisation brings new risks, which need to be identified and taken into account, for the sustainability of the whole company.

Branders and communicators: cybersecurity ambassadors?

Marketing and communication departments are therefore prime targets for cyber-attackers, who know that they are less well prepared and less cautious. However, these two functions could become the best ambassadors for their company's cybersecurity. Indeed, it is necessary for these departments to be aware of the risks that their activities can generate for their company. It is therefore necessary to include these marketing and communication activities in the daily management of cyber risks in companies.

It is essential that marketing and communication departments realise the importance of working with the IT department, as it is the role of the latter to secure their daily practices, in order to make them sustainable.

Raise awareness among marketing and communication teams, train them in cybersecurity risks and best practices, and support them in the digitisation of their daily activities, so that they become promoters of cybersecurity in their company.

Related blog posts:

• Phishing or Spear Phishing: what is the difference?

• Employees in the corporate security chain.

Did you enjoy this blog post?

Find more content related to cybersecurity and GDPR regulatory compliance on the CyberSecura blog!

We need your answers!

By completing this survey, you are helping us to better understand your interactions with our site and your potential needs.

Your answers are anonymous, and unless you ask to be contacted again by our teams, no personal information is requested!

Thank you for your responses!

Would you like to be informed of our news and receive our latest blog articles directly in your mailbox ? Subscribe to our monthly newsletter!

Would you like to discuss your difficulties, your needs, our offers? Ask to be contacted, free of charge and without obligation, by one of our cybersecurity experts!