Hacks are becoming common news these days. Scarcely a month goes by without another major corporation being hacked, whether for financial gain, political or terrorist motivations, or simply mischief.
There was the 'WannaCry' attack of May, which affected Windows machines at the NHS, Deutsche Bahn, FedEx and Telefónica. And last month, of course, advertising giant WPP became the latest victim. On 27 June, WPP employees reported systems crashing and ransom demands as the result of the 'Petya' attack.
Several of WPP’s agencies including GroupM, JWT, PR giant Burson-Marsteller and Y&R were thought to be affected by the attack. The holding group’s website also went down.
WPP wasn’t the only company to be affected: Danish shipping giant Maersk, Russian oil company Rosneft and the Ukranian central bank were also victims of the ‘ransomware’ attack, which caused machines to freeze.
As one would expect, things soon returned to normal at WPP and the other companies. These big companies have robust security systems and are probably far less vulnerable than individuals or small firms. I understand that IBM, no less, provides WPP’s IT and data services. If there’s anyone who could be trusted to get on top of stuff like this, it would be IBM.
As far as anyone knows, the hackers’ attempts to blackmail the victims into paying ransoms with BitCoin failed. WPP boss Sir Martin Sorrell said that said there was "no indication that either employee or client data has been compromised".
So, it was all a bit of a storm in a teacup, wasn’t it? WPP’s share price wasn’t affected once things had calmed down, and solutions were found quickly. So everything’s hunky dory again.
Maybe – but why am I so worried? My concerns aren’t really directed at WPP; the company was an unfortunate victim, and is probably no less prepared for these things than rivals like Omnicom, Publicis or Dentsu.
One of the things about hacks is that they are often produced and launched without a specific victim in mind. WPP was most likely a victim of what’s called in the industry a “drive by”: someone inside the WPP network became infected after visiting a website and inadvertently downloaded something; or someone clicked on an email and downloaded something; or there was an exploit (a piece of malicious code) in the browser that forced an execution (an automatic download, perhaps) and it spread to the main controller. From there, the rest of the company became infected and very quickly.
And this is one of my concerns: just one person can innocently cause chaos across a network, despite training, firewalls and spam filters.
Then there’s motivation. Not only do we not – yet at least – know who initiated the attack, we have no idea what their motive was. Perhaps they were just after some BitCoin; perhaps they were bored geeks looking for a challenge or to cause cyber-mischief; maybe they were anti-capitalists, seeking to damage big business; perhaps it was someone working for a (possibly hostile) foreign government; or organised crime was involved – it is estimated that 90% of all data records that were used in a crime was a result of hackers employed by organised crime.
Most worryingly of all, these last two attacks might just be the hackers, whoever they are, 'testing the water' – seeing what can be done or exploited, who’s vulnerable and so forth. Perhaps something more damaging, even devastating, is just around the corner.
And another attack of some sort will happen again at some point.
It has become clear that our increasing reliance on data and IT makes us vulnerable – and not just to hacks, either. Remember the British Airways meltdown at the end of May? That may end up costing the company upwards of £100m. It’s not just profits that could be hit, either; investors can be jittery, and they may punish companies they see as lax in their attitude to security. Share prices could tumble catastrophically in the wake of future attacks.
But this is not a sector or company-specific problem, it’s a universal and global one, so to simply punish one company’s share price would be a very blinkered thing to do.
Thus, depending on the prevalence of subsequent attacks, it may have a wider affect on overall global share prices.
But marcomms does have one particular problem – it deals increasingly in data – data about and from its clients, and about and from, millions of consumers. And big data has long been seen as one of the industry’s saviours in an era when many advertising services are becoming increasingly commodified.
The bigger concern for the marcomms sector is whether we see a myriad of these type of viruses and worms being developed, and that attacks happen on a regular basis.
Ultimately this won’t just result in the repeated short-term crippling of businesses’ ability to transact, but could cause global mistrust of the internet and the security of data on it.
This could lead to people withdrawing the amount of data they are prepared to share and returning to the old model of using the internet for ‘information-pull’ purposes only.
Given the marketing industry now relies on analytics and individual data as its backbone, this could have more serious implications, particularly around tailored online marketing, one of the growth areas of the industry.
This is obviously a doomsday view, but if people’s data is being held to ransom then it follows that there could be an assumption the data may be insecure in the first place and there would be less willingness to share. Over the past couple of years, thanks in part to privacy concerns, we’ve seen the rise of adblockers, which have impacted the effectiveness of popups and online display ads.
An especially severe attack could impact on consumer and client trust in agencies’ ability to secure data – and such an attack wouldn’t even need to be directly on an agency. Thus digital marketing – on which so much of the marcomms industry’s future growth is predicated – could be snuffed out before it’s even reached adolescence.
In a 2016 Verizon study of security breaches, there were 285m data exposures, which works out to about nine records exposed every second. Some 26% of these attacks were executed internally within organisations.
So what can be done? In many ways, attack is the best form of defence, and I think the industry (indeed, all big business) has to work together to demonstrate that it takes these problems seriously.
This means acting now – and not just waiting for the next attack and reacting to it. It means a complete change in thinking. Security has to be an ongoing problem, not one you solve when it comes up. Of course, hackers will always be one step ahead of the corporations, but if the big holding networks can demonstrate that they are treating security of data with the utmost seriousness, they will do much to restore and retain consumer and client trust.
This could take many forms – hiring former hackers, perhaps; people who understand the hacker mindset, who can anticipate their next step. It means investing in rigorous, automated testing systems – ones that can test all systems, every machine in an organisation, thoroughly and at least daily, if not more often. It means investing in (again, ongoing) training so that all employees understand at least the basics of IT hygiene. It means being as transparent as possible, and being able to carry out regular security audits. And it means updating systems regularly.
All this will cost, of course, but if it preserves trust, it will be well worth it.
Barry Dudley is a partner at Green Square, corporate finance advisors to the media and marketing sector