Hacking: the growing threat

Recent high profile hacking incidents have highlighted the increased threat of cyber crime. Joe Lepper looks at what PR professionals can do to avoid becoming victims.

Hacking
Hacking

As PR professionals rely increasingly on mobile devices and social media, the risk of them becoming victims of cyber crime is mounting at a startling rate. PR people need to ask themselves how secure the information they keep for clients is, whether information on a mobile phone is protected and how easy it would it be for their or a client's website or social media account to be hacked.

In March, PR agency 3 Monkeys fell victim to cyber crime when its website was hacked, although the agency has declined to comment on the incident.

High profile Twitter accounts are also increasingly becoming prey for hackers. Burger King, HMV and the BBC are among those to have had their accounts hacked this year alone.

According to latest government figures*, 93 per cent of large corporations and 76 per cent of small businesses have reported a cyber breach in the past year.

Danny Whatmough, director of digital strategies at tech PR agency EML Wildfire and chair of the PRCA's digital group, says: 'I suspect we will continue to see more of these types of incidents. It is something that PR professionals need to be taking seriously.'

To counter this increasing threat, the Government launched the Cyber Security Information Sharing Partnership last month to gather information on cyber security threats. Already 160 companies are involved.

Craig Elder, head of digital at Blue Rubicon, which was hired by the Government's National Fraud Authority earlier this year to support cyber security promotion, says social media breaches are a particular concern for PR professionals.

He says: 'Done properly, Twitter provides a fantastic opportunity for companies to communicate directly with customers. But the wrong sort of tweets could erode reputation quickly and cause long-lasting damage.'

The Government specifies in its procurement guidelines that any agencies it hires have to 'maintain adequate security arrangements' regarding data.

But Dean Russell, EMEA digital marketing director at Lewis PR, says most potential clients rarely ask for such guarantees.

He says: 'There has already been an education in the benefits of social media across the industry: the next phase is an education about security. More clients will look at examples such as Burger King and want to know how they can prevent that.'

Six key ways to combat cyber crime

1. Ensure all staff receive IT security training

At Lewis PR, the IT team is closely involved in training PR professionals in IT security, which is part of the induction of all staff.

Issues covered include avoiding storing confidential data at PR professionals' homes or on mobile devices, says Kelly Redding, head of IT at the agency.

He adds: 'The IT team also sends out IT Tips & Tricks mailers on a regular basis. Some of these mailers offer useful tips for email security, mobile security and any changes that are being made within the IT infrastructure that affect security.'

Neil Stinchcombe, director of Eskenzi PR, which specialises in IT security clients, says that an effective IT security training package should make all staff aware of common scams such as sending USB sticks containing malware.

2. Have a data security policy in place

A robust security policy is crucial to tell staff clearly what they can and cannot do in terms of data security, says Stinchcombe: 'The policy needs to be clear about what is sensitive information. You need to think about the lifespan of the information with the client. Information may need to remain confidential after you have carried out the work and how that is stored or handed over to the client needs to be clear.'

Nigel Stanley, chief executive of IT security company Incoming Thought, says this policy should also highlight the legal duty of staff to protect data and not be reckless with the agency's or client's IT security.

3. Use passwords and encryption wherever possible

Stinchcombe says any data that is taken out of the office on mobile devices should be encrypted and only accessed through passwords.

He also recommends changing passwords regularly to counter the threat of disgruntled staff taking over a social media account or website. This happened to troubled music retailer HMV in January when its administrator Deloitte announced 190 job losses and a member of staff voiced her objections on HMV's Twitter account.

Elder also recommends having a tool in place such as HootSuite, which gives multiple password access to Twitter accounts that can be revoked quickly. He adds: 'It's surprising how many companies hand complete control of their social channels to relatively junior members of staff.'

4. Avoid using apps

PR people need mobile devices to communicate, but are putting their clients' information at risk every time they send an email or update a social media account or website.

Security expert Cal Leeming says a good way to make mobile devices more secure is by using browsers to access social media and email rather than apps: 'With apps, unless you were involved in devising the code, there's no real way that you can know how safe it is.

'But if you access something through a browser like Chrome or Safari you can easily delete the history. It will not completely stop a hacker, but will at least give you some protection.'

Stanley recommends only downloading apps from reputable marketplaces.

5. Ensure social media and data access is monitored

Effective monitoring of social media activity can ensure a hack can be spotted and dealt with swiftly. Russell, who uses a Netvibes tool to monitor unusual patterns of social media mentions, says: 'Take the Burger King example. We knew something was going on there within seconds even though they are not a client, and could then monitor our clients' accounts to see if it was more widespread.'

A data system that can restrict access and flag up inappropriate use of confidential information by staff or hackers is also advised.

But Antonis Patrikios, director at Field Fisher Waterhouse, says it is important that organisations take into account staff privacy.

He recommends drafting a 'privacy impact assessment' that has proportionate safeguards in place and is well communicated among staff.

6. Be prepared for the worst

When an account or website is hacked, Whatmough says: 'Standard crisis comms should apply. It is important that you are clear and open about what has happened.'

When several BBC Twitter accounts were hacked by a group claiming to be supporters of the Syrian government earlier this year, the BBC PR team swiftly used its safe Twitter accounts to offer reassurances and apologise. A BBC spokeswoman said: 'With incidents such as these, our priority is always to get the matter resolved as quickly as possible and to keep our audiences updated on the progress.'

WHAT A WHOPPER: WHEN BURGER KING BECAME A VICTIM

Burger King

18 February was a day Burger King's US-based global social media and PR team will not forget in a hurry.

At around 11am it discovered the firm's global Twitter account, which had 80,000 followers, had been hacked. The team immediately contacted Twitter to report the security breach.

Within the hour the account was suspended, but not before the mischievous hackers posted several vulgar tweets and altered the account's logo to that of rival McDonald's.

This included the tweet: 'We just got sold to McDonald's! Look for McDonald's in a hood near you.'

During the afternoon the global PR team issued a media statement saying: 'We have worked directly with administrators to suspend the account until we are able to re-establish our legitimate site and authentic postings.'

By 5:30pm the account was active again and back in the hands of Burger King's social media team, which was able to reinstate its branding and remove the offending tweets.

Burger King's first tweet after regaining control made reference to the 30,000 extra followers its Twitter account had attracted during the day.

'Interesting day here at Burger King, but we're back! Welcome to our new followers. Hope you all stick around!'

A Burger King spokesperson said: 'When our Twitter account was hacked, our social media teams immediately began to work with Twitter security to suspend it. Once we regained control, we were up and running and tweeting. Our fans and followers have stayed with us and we've welcomed some new ones.'

EXPERT VIEW: Cal Leeming, Simplicity Media technical director and ex-hacker

Cal Leeming

'The cliche of a hacker as a kid in his bedroom is no longer true. It can be anyone for a variety of reasons doing this. Sometimes it is ex-employees who hold a grudge, sometimes it can be groups of people who have something against the business or sometimes it's a criminal gang, particularly from Russia and Eastern Europe. The hacker can also be very contradictory. It could be a good person or a very talented person doing this.

There are extra security measures you can take, but it does mean that you have to give up a degree of usability. One of the safest is to have a two-factor authentication system for access to your email. These are commonly used by banks through a digital key fob that uses a random number. This can give the security that even if your password is leaked, it is harder for someone to gain access. But this does not offer protection against malicious software. There are some nasty pieces of kit out there that will wait for you to input a number and then use it to take over your computer. What is surprising, though, is that Facebook and Twitter do not offer this kind of two-factor authentication, when even (the online game) World of Warcraft does.

Everyone should be aware that as soon as they input anything online, potentially it could be accessed. If you want to really protect yourself and have something confidential to say, then use good old-fashioned snail mail or a phone call.'

Would you like to post a comment?

Please Sign in or register.

News by email...