Security: A Marketing Conundrum: why IT security experts are taking marketing directors to lunch

19 08 2010

I was reading an excellent InformationWeek analytics report by Michael Davis called Global Threat, Local Pain: 2010 Strategic Security Survey (May 2010). As someone involved in cyber security and working with Narus, this report was especially enlightening. Technology alone is not sufficient to keep your networks secure. Working with marketing to incorporate people and process as part of your holistic solution is a good first step to protecting the integrity of IP networks.

We know that technology can be used to initiate or defend against network attacks. This may enable planting of malware and the potential to exfiltrate or move data out of the network or system. In many cases, firewalls and intrusion detection and prevention systems are used to reduce these types of attacks. These technical approaches are far from sufficient. Security directors need a holistic view of the network and multi-layered approach to security especially when fighting against the newer types of attacks.

There are more insidious ways to attack a network. Yet, we – the general public- don’t think of compromising security through psychological, behavioral, and social engineering means. Yet that is exactly what is happening today. And that is where marketing comes in.

Marketing is the battle for the mind as Al Trout and Jack Reis claimed in their seminal work called “Marketing Warfare.” Who would have thought that the concepts in a book written more than twenty years ago- prior to the tsunami called the internet- would have repercussions in maintaining the security of networks? Marketing is tasked to get customers to become aware of products or services, and to find ways to get customers to take an action through a promotion, a click through, or an interactive dialog. Think about the tools that marketing uses: search engine optimization (SEO) techniques or a well worded direct email program with embedded URLs.
When a customer clicks on a URL it opens the possibility for someone in a corporation to open a “window” to confidential or private data. Pieces of malicious code can be downloaded and over a period of time be used to send information out. The InformationWeek survey indicated that the second greatest security risk is from authorized users/employees mostly due to phishing expeditions. We see legitimate email programs all day with embedded URLs. Why wouldn’t we assume that a phishing expedition is legitimate as well? These attacks are on the rise because people are susceptible to clicking on messages that seem to be real. You don’t need the technology to get information from corporate networks. Rather, with these social engineering attacks all you have to do is to convince the user to voluntarily provide information!

SEO attacks whereby a user search for specific items- say those high on Google analytics ratings- sends the user to a site that looks real. In reality, the user is redirected to a “spoofed” or “fake” site where the user can be targeted, with the intent to gain credit card or account information of an individual or corporation. No wonder the survey made this interesting comment that there is a potential new bond between the marketing people who understand the psychology and how to get customers to take action through marketing programs and social engineering, and the IT directors who tend to work on technical solutions.
How can companies and organizations reduce their risk of cyber threats from these new social attacks? Let’s make the assumption that the IT Directors implement the right technology such as the combination of signature based malware protection, policy management, and traffic intelligence by companies such as Narus. In addition to technology, policies such as filtering, blacklisting, and most of all training of employees are needed to prevent attacks. First, the security officers have to work on policy and filtering of sites that are normally risky. Perhaps screening certain emails which contains known types of embedded risks has to be done. Most importantly, the marketing directors must work with the IT directors to help educate employees on how to protect themselves against these social engineering attacks which will have the attendant benefit of protecting both the employees in their private lives as well as their companies.

Unfortunately, it’s a complicated problem. Yet the combination of people, process, and technology coupled with a good bond between marketing and IT specialists may be a good first step to protect the integrity of IP networks.