holiday cybersecurity attacks

Four Big Cyber Risks Facing CMOs this Holiday Season

Tis the season for costly cyberattacks and breaches, seasonal employees with access to sensitive data, malicious ad bots, and compromised corporate credentials.

It’s the most critical time of the year for CMOs, many of whom have spent the last 365 days preparing their strategies for the holiday shopping season. All good–except the merriest season can also be the riskiest season, from a cybersecurity perspective.

While many marketing leaders invest significant time and effort into ensuring that this is a profitable period for their brands, they may not put enough focus on the significant losses that could occur as the result of increased vulnerabilities. “Any disruption to their business at this time could have catastrophic impact,” said Jeff Paradise, CMO of password manager app Dashlane. “Add to that the risks associated with handling tens of thousands of transactions and the risk profile increases significantly considering the potential for a major cybersecurity breach involving personally identifiable information, credit card data, or shopping data—or a major outage due to a DDoS attack or similar event.”

Amidst the holiday hustle and bustle, the impact of several cybersecurity issues increases: not simply cyberattacks timed to when traffic and transactions are typically at their peak, but also dangers associated with seasonal employee systems’ access, digital ad fraud, and employees using their corporate credentials for holiday planning. At the same time, marketing teams and their third-party partners have access to confidential data and valuable intellectual property that could become compromised as they are consumed by their end-of-year duties. Any one of these possibilities can cost companies dearly at a time when they can least afford the disruption.

“CMOs are likely not nearly as involved or familiar with cybersecurity in most companies. They absolutely should be, however,” said Jason Hoenich, co-founder of cybersecurity awareness company Habitu8. “Almost every aspect of a CMO’s responsibilities now has direct tie-ins with cybersecurity risks, and they should be actively seeking and having a weekly dialogue with the CISO or the InfoSec teams.”

It’s little wonder that mitigating cyber risks fails to make it to the top of CMOs’ to-do lists when the marketing function is often the owner of paid media, product marketing, social and community management, public relations, business development, customer and employee engagement, content development, revenue generation, business intelligence, and more. But as business becomes increasingly digital and the cost of cyber incidents grows, there’s clear value in marketing leaders working more closely with their IT and security counterparts throughout the year to bolster their cyber defenses. In addition, CMOs should intensify efforts to reduce their risk profiles in anticipation of the holiday season—vetting vendors, co-sponsoring IT projects to safeguard customer data, observing the behaviors of their internal teams, educating employees, and being in involved in building incident-response plans. “In just the past 12 months, billions of records have been breached, reputations have been damaged, and valuations on large acquisitions have been deeply discounted because of cyber attacks,” said Paradise. “The damage done by cyber attacks has the potential to set you back months—if not permanently put you out of business.”

We’ve highlighted the four biggest cybersecurity risks that marketing leaders should unwrap this holiday season and beyond.

The Dangers of Downtime

The most obvious—and arguably most costly—holiday hazard is the impact of downed systems. “During the holiday season, when traffic and transactions are at their peak, online businesses stand to lose the most from network downtime,” said Sammie Walker, CMO of IT automation and security company Infoblox, pointing to last fall’s distributed denial-of-service (DDoS) attack on DNS provider Dyn. The October incident knocked dozens of major sites offline for a day, including Netflix, Airbnb, Twitter, Etsy, Amazon,, and Spotify. “Now, imagine that customer frustration and business loss if that had happened during the holiday shopping season,” Walker explained. “Vulnerable DNS can cause the most damage if it goes down, as it takes the entire business offline. This brings ad and transactional revenue to a grinding halt.”

The vast majority of companies—84 percent—have been victims of DDoS attacks in the last year at an average cost of  $2.5 million, according to Neustar’s 2017 DDoS Attacks & Cyber Insights Research Report. The impact during the holidays could be even greater—and that does not factor in reputational impact and loss of customer trust. “CMOs should ensure their network security and DNS infrastructure are prepared to defend against DDoS attacks, breaches, and malware,” said Walker. They should also build in redundancies in the event that a provider is hit, communicate regularly with IT and security teams during this busy period, and make sure they have rehearsed contingency plans in place.

The Influx (and Outflow) of Seasonal Employees

A major cybersecurity risk for brands are former seasonal employees that can still access company systems and the data they contain. More than half of ex-employees still had access to company applications, according a 2017 survey by secure access provider OneLogin.

“A disgruntled former employee with access to advertising and social media management applications could deploy offensive online ads and post them to company social properties, causing significant damage to their former employer’s brand,” explained Al Sargent, senior director at OneLogin. CMOs should work with IT and HR to make sure that there is an identity and access-management system in place that securely and completely offboards all users from all company applications, laptops, and networks when their engagement ends. This should be done for both full-time employees and contractors. Online retailer StitchFix, for example, does this for its rotating crew of part-time fashion stylists who typically work for the brand a few months at a time.

The Rise of the Ad Bots

With the increase in holiday digital ad spend comes a commensurate spike in malicious bots—and both brands and publishers take the hit when ad fraud occurs. Cyber criminals are embracing a broader spectrum of sophisticated tactics that make bots appear more human to avoid detection. As much as $3.5 billion dollars could be lost to advertising fraud in the final quarter of this year, as companies scramble to fulfill peak demand, according to automated threat prevention provider WhiteOps. That amounts to half of the total ad fraud losses predicted for the year. “Digital ad spend is huge for CMOs,” said Habitu8’s Hoenich, “and they should be familiar with the current threats happening from malicious ads.”

There are a number of steps marketing leaders can take to diminish the impact of bot fraud, according to an earlier report by the Association of National Advertisers and WhiteOps, including demanding transparency on source traffic from their vendors, refusing payment on non-human traffic, and working with fraud detection companies accredited by the Media Rating Council.

Compromised Corporate Credentials

Holiday e-commerce will hit a record $107 billion this year, according to the latest research from Adobe Digital Insights. Ticking items off those holiday shopping list at work is more than a potential drag on employee creativity—it can create opportunities for cyber criminals to infiltrate corporate systems.

Employees that use their corporate email addresses or passwords for their seasonal purchases substantially increase the risk of compromised credentials leading to cyber breaches. “Many organizations experience their peak season of compromised corporate credential ingestion during the holiday season,” said Christian Lees, chief information security officer at InfoArmor. “Often, consumers use corporate credentials to shelter spending habits, tend to use their work email more than others, or want to keep the gift a secret in anticipation for the holidays. While these behaviors are understandable, these actions tend to greatly endanger the employees’ organization.”

The marketing group, in particular, is sitting on a gold mine of customer data and competitive intelligence, and very often the credentials the team uses to access their Facebook Power Editor are the same ones they use to log into Amazon. “More often, the risk lies with the end user of a department such as marketing,” said Dashlane’s Paradise. “And given marketing’s broad exposure through the use of various third-party cloud services, it’s the CMOs responsibility to take measure of how the team is managing credentials and take immediate steps to increase security.”

CMOs should partner with IT and HR to introduce and enforce several simple rules, according to Byron Rashed, InfoArmor’s vice president of global marketing and advanced threat intelligence, including never using corporate credentials for non work-related web sites, ensuring that passwords for cloud-based work systems are different than those used for corporate systems, and notifying IT whenever credentials or passwords are compromised.

In addition, “everyone should ensure that mobile, tablets, and laptops have password or passcodes on them to access the device and be vigilant about keeping them nearby and protected,” said Rashed. “An obvious potential danger is in the latest version of iOS where a ‘keychain’ can be easily accessed through settings. The user names and passwords are available in this feature. If the device is lost or stolen and no passcode protection is on the device, all the user’s accounts within keychain are at risk.”

So now that security is battened down, let visions of sugarplums dance.