Three weeks ago, I was fortunate to be at the Cannes Lions Creativity Festival — a fabulous week in the south of France surrounded by the most creative members of the advertising, media and marketing world today. And three days after the closing ceremony, some of the world’s largest companies in virtually every industry were hit by a large-scale cyberattack, including firms like WPP.
An Adweek article on June 28 stated: “Spokespeople for WPP’s chief competitors, Omnicom, Publicis Groupe and IPG declined to comment on the news. But privately, many wondered whether the security systems that these huge networks currently have in place could have prevented such an incident — and how they should proceed in addressing a long-simmering threat that became very real this week.”
More concerning is that as of July 4, the Financial Times reported that many companies are still struggling with the attack. Specifically, according to the FT article, “WPP, the world’s biggest advertising group, said on Tuesday: ‘IT systems in several WPP companies have been affected by a suspected cyberattack.’ The website for the holding group, which owns agencies such as Group M and Burson-Marsteller, was unavailable.”
In contrast, the topic of security was not covered in any of the conversations I had in Cannes with the many CMOs and others. Sure, there were a couple of sessions on it, but those mostly took place under the guise of big data and privacy, rather than the actual ability to ensure business continuity in the face of a cyberattack. That didn’t come up.
But I know it did for every CMO affected three days after the festival ended. Because all of the sudden, systems were down, and in some cases, are still down.
It strikes me that while those of us responsible for the external face of our companies — our brands — have been involved in planning for crisis communications in response to these kinds of threats, we need to be supporting the planning for how to avoid these threats. And we aren’t right now.
That pervasive phrase of “digital transformation” has permeated every aspect of the corporate landscape over the last several years. But never more so than from the seat of the CMO. CMOs have been driven to connect to the cloud, leverage every ounce of data they can collect, and whenever possible, monetize, monetize, monetize. They aren’t alone: the CMO has had to work alongside colleagues in IT, product management, operations and every area to digitally transform every business action in a similar way.
The unintended consequence of this transformation — to use words not typically in the CMO vernacular — is an expanded “surface of attack.” By expanded surface of attack, I mean, by leveraging the public internet to support the digital transformation in as many ways as possible, companies have opened themselves up to a much larger scale of assault by hackers intent on attack — all the time, on a global scale.
As we’ve been saying in the last couple of blog posts, the public internet was not created to protect anything. Don’t get me wrong. We believe in a public internet that helps connect humans around the globe, and has provided untold benefit to millions. But the public internet isn’t designed to protect a company’s most valuable data, a corporation’s intangible assets or a multinational’s mission-critical infrastructure.
Right now, CMOs around the globe need to be pressing to understand how those most valuable assets are being treated and how to lessen the surface of attack.
We have been referencing the need for what we term “Triple-A” networks. These are global, private, isolated networks where businesses can control Access, Availability and Attribution. It’s about a business being able to specify its level and speed of access, know it’s always on, and always know both who is on it and what they are doing.
This is about the mission-critical infrastructure being used by the CMO to carry out the job — what’s in place to carry it out continuously, without interruption and most importantly with as much confidence as possible. That they are investing in actions that drive the business outcomes they are looking for: more views, more foot traffic, more cart sales, etc.
This means the CMO has to now take aim at how to lessen the surface of attack and invest in solutions like a Triple-A network, which is going to make the difference in the response to what happened three days after the close of Cannes. CMOs are not handed a problem they weren’t involved in creating — they are leading the charge to avoid it happening again.
Mary Clark is a former Chief Corporate Relations Officer and Chief of Staff at Syniverse.