Lie, cheat, & steal: Cyberthreat marketing
Last month I wrote about the increasing growth of cyberthreats and the potential impact this is going to have on marketers. Since then, we have had another major scare (Petya), which started out looking like a ransomware attack and then possibly becoming a data destruction attack. The velocity of attacks continues to ramp up, and the fun is really just starting. Fortune had a cover story on Cybersecurity last week, continuing the mainstreaming of the topic.
As marketers, we have to pay extra attention to the tools that criminal hackers use, and how they use them, so we can explain what is going on to our internal and external audiences. For better or worse, these are many of the same things we do every day as marketers, just with a very different intent.
Fundamental to almost every type of cyberattack is the LIE. Whether it be a big lie or a small lie, lying is often the way to get some innocent victim to “open the door” and let the threat (or threat actors) inside. From fake emails (spam) to fake websites and social engineering via phone calls, the lie provides the attackers with a way onto the network — that network that we are so busy protecting with technology, passwords, and employee training — and once onto the network, the odds quickly shift in the attackers’ favor.
Lying is a very specific form of the larger category of influence techniques that social psychology has studied for decades. Getting people to agree to a request, verbally or online, causes a cascade of internal changes that can make people more susceptible to future requests. Since we often get “rewarded” today for clicking on a link and reading some juicy gossip, the inclination to click is strong. Breaking that habit, or at least curbing it, is one of the fundamental steps in cybersecurity training.
To be clear, the likelihood you are going to have to explain a cyberattack at some point is high, and you are going to get asked to explain how it happened. As convenient as it might be to say “someone clicked on something they shouldn’t have.” I don’t think that is the right approach. It may be the truthful answer, but it is not a particularly helpful one. Criminals lie, cheat and steal to get access to your data and/or your money. You need to become better at explaining criminal behavior in a larger context, with specific lessons learned built into the story.
Back to that attack. If the known cause of penetration was someone clicking on a link (and there are often many potential penetration points, depending on the sophistication of the attack), there is a much better story to tell. First, explain as best you can what happened (e.g., ransomware, data exfiltration, denial of service) given what you know. (There are a lot of unknowns, and a lot of legal issues surrounding what you can share and when — a topic for a future post.) Then, explain the types of methods known to allow criminals access to networks/computers, such as spam, password theft, brute force, etc. Instead of pointing to a specific vulnerability in your organization, explain that one of more of the known methods appeared to be used. Finally, make a point of explaining what your organization has done and is doing to prevent future intrusions.
Criminal hackers lie all the time. Good marketers don’t lie, but we find the version of the truth that is most convincing to our audiences. When it comes to cybersecurity, we have to continue to emphasize an approach that puts truth ahead of obfuscation, education of others at the center, and adherence to various laws and corporate governance policies as a foundation. It is not easy standing up and admitting you have been hacked, and then possibly admitting that you don’t exactly know how it happened, but if we don’t all start thinking through how to talk about this it will happen again and again.