Alloy logo

October 01, 2019

Anna Ruth Williams



Let’s be honest, what was your reaction when you heard there was a massive YouTube breach one week ago? Or how about the giant Capital One scandal that’s still hitting headlines and causing headaches? Did it cause you to pause? Did it make you wonder about your company’s own cybersecurity protocols? 

As a result of our connected society, it’s become commonplace for businesses to become victims of cyber attacks. From malicious emails landing in inboxes to attacks being sent over SMS, it’s all in hopes of gaining access to information for financial gain. his is no doubt costly for businesses. In fact, the FBI recently reported that one type of an advanced phishing attack – business email compromise – cost organizations $26 billion dollars globally over four years.

For marketing executives at tech companies, working with a marketing and PR agency that prioritizes cybersecurity should top their list of agency selection criteria. With access to client’s confidential data – such as competitive intelligence, product plan, and future deal announcements – marcomm agencies are a prime cyber target. And unlike enterprises that have vast resources and security teams to initiate cybersecurity protocols and tools, marcomm agencies typically do not dedicate time or money to cybersecurity.

Unfortunately, cyber attackers know this and, therefore, zero-in on the weakest link of the supply chain. As a result, when vetting tech PR  agencies, marketing leaders should take a hard look at their cyber policies in place.  

The New Cyber Risks of Marcomm Agencies

The risks for marcomm agencies regrettably don’t stop at being a one-stop-shop of corporate data. As the way we work shifts to include “work from home” policies, flexible hours and personal devices, the attack landscape grows for criminals.

For example, maybe an employee logs on to a coffee shop’s WiFi, which unbeknown to them is insecure, while they’re remote one day. Or perhaps an employee ignores the reminder for the critical software update to their laptop for the tenth time. All of these realistic and common scenarios present opportunities for cyber attackers to compromise a device and breach a company.

As Alloy client Coronet frequently discusses, marcomm agencies also tend to use the latest apps and software, including cloud apps like Slack, Office365 and Dropbox, to communicate and share files internally and with clients. To many people’s surprise, however, these apps are frequently targeted in cyberattacks as their inherent vulnerabilities are prime vectors to criminals.

Cyber Steps CMOs Should Demand of their Marcomm Agency

Other than utilizing the best technical tools available - such as those offered by our cyber clients for email and cloud security - marketing leaders must demand that their agencies take steps to address the behavioral and procedural processes around cybersecurity:

  • Conduct an agency-wide risk assessment – Identify where their greatest vulnerabilities lie. When was the last time the agency did a risk assessment? How many devices does the company have? How many are personal? What software tools are they using? Are there other tools that have better security standards they could be using?

  • Educate, educate, educate – Does the agency require education security training for all employees? Does the agency implement policies that require employees to update all devices, including personal devices? If not, they should.

  • Set up the right tools – Make sure the agency has initiated two-step authentication for passwords and secured inboxes and cloud apps with tools that are the right fit for your cybersecurity needs.

  • Require cyber insurance – Not only should a tech company have cyber insurance, but all agencies, vendor, and partners used by the tech company should also. Again, attackers go after the weakest link in the supply chain.

  • Identify an incident response plan – Does the agency have an incident response plan? Do they know what to do in the event of a breach? All employees, clients and stakeholders explicitly need to understand how to handle a breach, including how to report a threat if one is identified.

Cybersecurity is the reality of the world we live in – and agencies, whether they want to or not, need to sign on. It’s not a matter of if they’ll get attacked, but when. As a result, tech CMOs should vet their agencies thoroughly, because, let’s be honest, you don’t want your agency to be the reason your company is in the headlines.