Ad Agencies: Malware's Perfect Target

If advertising companies are so aggressive about winning lucrative business, why are they so passive about protecting it?

Malware Advertising Target

This week, unknown hackers launched a new ransomware attack that made May’s WannaCry attack look quaint by comparison. The malware (nicknamed Petya) spread globally from metro systems in the Ukraine to a Danish shipping conglomerate to, terrifyingly, the Chernobyl plant.

Along the way, it also hit WPP, a British advertising giant which, while lacking the critical infrastructure of those other targets, boasts a bounty of sensitive information to hold hostage. Unable to access networks, WPP employees were sent home, paralyzing company business. The attack continued to disrupt parts of the enterprise days later.

The virus, a variant of the WannaCry attack, exploited unpatched holes in Microsoft’s security software. Hackers demanded approximately $600,000 to decrypt the files. It is not yet clear if WPP has paid the ransom or lost clients over this reputational hit.

Although this type of attack is relatively new to the advertising world, it’s not entirely unexpected. Three years ago, networks for Google’s DoubleClick and the ad-operations agency Zedo, both of which facilitate the placement ads on webpages, were compromised. These hacks, dubbed malvertising, triggered the download of malware after a reader clicked on an ad.

In the context of what could’ve gone down, WPP got off easily. Its attack was financially motivated, and data wasn’t stolen. The latter is particularly concerning to ad agencies, because they’re constantly competing against each other for lucrative client work. In this industry, there is a resounding anxiety over disappointing difficult brand clients, and suspicion over losing that lucrative business to a competitor. The fear is there, but where’s the cyber-risk management?

As contractors, ad agencies are usually given digital access to sensitive client documents. They’re expected to protect those proprietary designs and marketing strategies entrusted to them. If compromised in a targeted attack (including malware), this information could be used by a rival to beat a brand to market or outmaneuver them based on marketing tactics. Meanwhile, high turnover rates—notably the poaching of employees—leave agencies vulnerable to the insider theft of confidential ideas, timelines, and financial details that would benefit other agencies.

Agency espionage may not sound like high-stakes thievery, until you consider that brands such as PepsiCo and Coca-Cola each bring in upwards of $1 billion a year, much of that driven by advertising-marketing engines. And yet their security programs—frequently IT teams that do little more than install patches and oversee various scam tests—feel like afterthoughts. “They’re probably doing the minimum versus other, more heavily regulated industries like financial services that deal with critical data,” Tom Pageler, former lead of cyber security and fraud initiatives at JPMorgan Chase, said to AdWeek.

Advertising-marketing agencies nurture cultures that reward creativity. This hurdle requires a practical, and not technical, solution: entwining risk-management plans with cybersecurity practices. That could be easily built around an automated analytics-driven platform that pays close attention to behavior (of employees, servers, files, and endpoints used to steal information) while prioritizing risks for the security team. Without it, stealthy inside jobs and viruses created to elude detection can handily navigate through security cracks. This strategy should also emphasize educating employees about, and holding them accountable to, best practices such as spotting malware attempts and safeguarding their credentials.

Perhaps most significantly, experts agree that it’s time for the CMO, a powerful figure in the ad-agency world, to be heavily invested in risk management. “The CMO has been living in a bubble,” Steven Wolfe Pereira, chief marketing and communications officer at Neustar, told AdWeek, suggesting that they don’t understand the full impact of a breach. Added Pageler to Ad Age, “Business continuity is the most critical issue in the C-Suite. If you can’t even conduct bare bones business, then it all breaks down.”