Cymulate posted on 20 Aug 2020
CMO of Cymulate, VP Marketing, B2B Cyber Growth Strategist, Advisory Board, Entrepreneur, G-CMO Member
What is a company’s brand?
It is the company’s distinct personality, what it represents and stands for. It creates the emotional and human connection to the company’s product quality, price, customer service, corporate responsibility and more. A company’s brand also has a financial value. It determines the premium that a company can demand for its products and services, contributing directly to its stock price and valuation.
Coming from the security industry, I see amazing brands get their reputations crushed due to security incidents and data breaches. The immediate result of a cybersecurity breach is a 5% drop in stock price. Garmin was no exception; the company experienced a cyber-related outage on July 23, resulting in a 5% drop in its stock price shortly after.
Seventy-one percent of consumers believe controlling access to their information is an organization’s obligation. Customers expect companies to safeguard their data, assets, money and well-being, and to consistently provide them the products and services they pay for. When a security breach occurs, these things are in jeopardy and, consequently, so is the company’s brand. The same report shows that “71% of CMOs [chief marketing officers] believe the biggest cost of a security incident is the loss of brand value.”
What’s the connection between marketing and data breaches to a company’s employees?
Humans are still the weakest link in the cybersecurity chain. In fact, according to a 2019 report by Accenture, “Phishing and social engineering attacks are now experienced by 85% of organizations, an increase of 16% over one year.” This year saw a 350% surge in phishing websites from January to March, indicating cybercrime’s rush to take advantage of the uncertainty that accompanied the Covid-19 pandemic. Additionally, it was found in 2018 that more than 40% of reported security breaches are caused by employee negligence.
A phishing attack is usually performed by a hacker sending a seemingly innocent email to employees with a malicious link or attachment. The unwitting receiver triggers actions that provide the attacker their crucial first step to achieving their objective.
Phishing emails and websites impersonate legitimate organizations — ones that you would have a reason to visit or click. These could be health-related organizations offering information or advice, financial organizations offering support or companies offering work-from-home connectivity platforms and tools. For example, Microsoft Office 365 remains the No. 1 spoofed brand in phishing attacks due to its high adoption. Ideally, the attacker will attempt to obtain employee credentials or personal information that can be leveraged during an attack.
With employees being the weakest link in the cybersecurity chain, marketers have an opportunity to improve a company’s security posture by raising employee security awareness through education and increased engagement and cooperation. To find out how effective internal communications can be to increase employee awareness and adoption of online security best practices, we recently ran a poll on LinkedIn, and based on about 150 respondents, we found that 87% believe it is either effective or very effective.
Collaboration between marketing, internal communications and security executives should be leveraged (more) to increase employee awareness to phishing and security best practices in order to decrease cyber risk.
How can marketing help chief information security officers elevate employee security awareness and prevent brand impairment?
When I spoke to Neil Langridge, an industry value-added distributor (VAD) in security, we agreed that a positive cyberculture within a company requires building a story around cybersecurity to engage with internal staff and gain their buy-in — it’s about creating two-way engagement, and it can even be fun.
Marketers, as storytellers, are the experts in setting the stage to enable conversations, outside and inside the company. To really make an impact, we can take a multitouch approach that engages employees.
A multitouch drip campaign will serve different types of employees who absorb information differently. A simple email campaign will not work. So, what can you do?
Consider creating a short online training module that includes storytelling of real attacks and how those attacks could have been avoided. Gamify employee testing with competitive riddles and prizes. Ask employees to record and share personal experiences of getting “hit” and those who managed to avoid a phishing attempt.
Marketers are great at driving a message, especially to a captive employee audience. Run a series of promotional items employees can collect with stats about phishing. Leverage your intranet to have phishing do’s and don’ts handy. Hand out infographic banners. Retain a service that simulates a phishing attack on employees. Create an emoji to send via instant messaging to recognize employees who manage to prevail.
Share the results of internal phishing campaigns, and track your company’s performance to show improvement over time. You could also create a virtual phishing escape room for employees to have fun as they learn. Use words; be visual, physical and virtual. Make it two-way communication, and run group workshops.
As Bill Gates has said, “I’m a great believer that any tool that enhances communication has profound effects in terms of how people can learn from each other.”
In another poll we ran on LinkedIn recently, we asked how effective simulated phishing campaigns can be in increasing the security awareness of employees, and of the 80 respondents, 75% stated they were effective or very effective.
Your brand is valuable and vulnerable. A 2017 PwC report found that “69% of consumers believe companies are vulnerable to hacks and cyberattacks,” and 87% of them are willing to “take their business elsewhere if they don’t trust a company is handling their data responsibly.”
CMOs have a vested interest in safeguarding the value of their brand against cyberattacks. Even great security technology may fail if an employee unlocks the door from the inside. Be proactive, and use internal communications to creatively engage with and educate employees to keep your brand safe.
COVID-19 created new challenges that companies hadn’t experienced in the past. One of the main difficulties is to keep our employees motivated and engaged in this new working environment.
Naama Zalzman, our VP Business Development, collected the following ideas and initiatives, created by our portfolio companies, as we all still navigate this crisis.
Gily Netzer, the CMO of our portfolio company, Cymulate - Breach & Attack Simulation shares her takes on the connection between employees, phishing, marketing and your company’s reputation.
News is out - We are excited to announce our new portfolio company, Thriver (formerly Platterz)!
Thriver develops a technological platform that assists companies in improving and strengthening their organizational culture and wellness.