Cyber threats: Why is the PR industry ignoring its own vulnerability?
“EasyJet hit with £18bn lawsuit over massive customer data breach”
“Gloucestershire Council staff leave after data breaches”
“Honda’s global operations hit by cyber-attack”
These are just three examples of major cyber incidents that hit headlines this month. It’s not surprising that cyber security is an increasingly talked-about issue; attacks are becoming more frequent. In May 2020, an estimated 8.8 billion data records were breached.
The public relations industry is no stranger to threats of this kind because, as demonstrated by the above articles, any cyber security breach represents a huge threat to reputation. Organisations that lose or expose their customers’ personal and financial data also risk losing their trust. Plenty has been written on this reputational threat and how PR teams should respond if an incident occurs. A quick Google search uncovers dozens of PR firms claiming to specialise in cyber security. “I was hacked” has become a convenient crisis communications response (or excuse) deployed when politicians come under fire for their social media activity.
Despite this, public relations firms are not taking steps to protect themselves. Employees are the single biggest risk factor for data breeches. They can fall victim to a scam, but it could also be something as simple as failing to create and update strong passwords, or not using an up-to-date version of software. Yet, it’s incredibly rare to find PR agencies with a comprehensive policy and employee training on cyber security. There seems to be no mention of cyber security within the online educational resources or training course outlines on either the PRCA or CIPR website, even though “digital” is a common theme.
It may be that they have a sense of false security; stories on cyber attacks usually centre around large or household name organisations and high-profile individuals. In reality, smaller organisations are more vulnerable because they are perceived to be an easier target. For example, SME PR agencies rarely have a dedicated ICT department.
In fact, there are nearly 10,000 daily attacks on small businesses. According to one report by the Department for Digital, Culture, Media & Sport, a third (32%) of businesses suffered a breach or attack in one year, with that figure almost doubling for medium businesses (60%). One of the criteria for being an SME in the UK is having fewer than 250 employees, and the majority of UK PR and communications firms have less than 99. This leaves most PR firms at significant risk.
Most PR agencies use online services such as email, online banking, websites, social media, and cloud-based data storage facilities. Many will have Bring Your Own Device (BYOD) policies where employees will use personal laptops or mobile phones for work-related activities. This creates lots of potential vulnerabilities. This seeming indifference of practitioners regarding cyber threats is especially concerning considering the amount of confidential data that they store or have access to. This includes commercially sensitive information about clients, the agency’s own financial data, personal information about employees, and the contact details of journalists – all of which would be valuable and a potential target for cyber criminals.
There is usually a lot of focus on the implications of a cyber security breach]. This is for good reason; financial losses, business disruption, regulatory fines, and reputational damage are some of the negative potential outcomes. Many smaller businesses will never recover from the hit of a serious cyber incident.
However, there are plenty of positives that can be achieved through a proactive approach to cyber security:
New business development
Many larger organisations rely on SME organisations, including public relations agencies. As awareness of the need for cyber security spreads, more of these potential clients will require PR firms tendering for business to demonstrate that they have a proactive and comprehensive cyber security policy, to help protect the whole supply chain.
Boosting reputation
The public relations industry has long suffered from an image problem. Taking a diligent attitude towards cyber security could improve the reputational standing of agencies. It shows a willingness to go beyond doing only what is required by law, such as meeting GDPR regulations. It also provides an opportunity to advise clients on the importance of cyber security, especially in avoiding any potential crisis communications scenarios, and the PR firm is seen to be practising what it preaches.
Improving relationships with journalists
Media relations is a key aspect of the day-to-day for many public relations practitioners. Those that are observing best practice in terms of storing and using the data of journalists are likely to build better relationships. For example, journalists may be more willing to have their contact data and information about their interests stored on a PR mailing list if they know that data is secured and being used responsibly.
Building trust with clients
Some public relations scholars believe that PR is most successful when it is involved in strategic management and organisational decisions. Practitioners may be more likely to be granted increased access to boardroom-level confidential information that influences strategy where clients can be assured that any classified data is as secure as possible.
Quicker recovery
Even the most secure organisations can still fall victim to a cyber attack or breach. However, having certain elements of cyber security in place allows for quicker recovery. For example, a ransomware attack can lock down systems or files and ask for money to unlock them, but an agency or practitioner whose work documents are safely and remotely backed-up will be able to return to normal quickly, so there is barely any business interruption.
It is high time public relations took cyber security seriously by raising awareness of its importance and setting it as an industry-wide standard. It is unethical to leave the sensitive data of clients, journalists, and employees exposed, and any attack or breach could prove fatal to SME PR and communications firms. Protecting against cyber risks will benefit individual agencies and improve the reputation of the industry overall.