Cyber-security marketing is developing at a rapid rate as the industry becomes more and more competitive, meaning PR and marketing professionals need to be able to adapt quickly to stay ahead of the game. In this 101 guide, we’ll be providing insight to help your cyber-security brand stand out from the crowd.
- The biggest data breaches of 2019 and their PR responses
- Talking TechComms: cybersecurity awareness month
- Why having shy customers doesn’t have to hinder your cyber-security marketing strategy
- Solving the internal communications gap
- Why clarity in external cyber-security messaging is key
- Cyber-security marketing: Building out a spokesperson matrix
- Do cyber-security brands need to maintain a serious tone of voice?
- Talking TechComms: Building a cyber-security brand
- Landing a media briefing at cyber-security trade shows like Black Hat
The biggest data breaches of 2019 and their PR responses
As the new year begins, it’s a time for reflection the highs and lows of 2019. While many companies surged ahead with new product offerings, major funding rounds and record-profits, some others had to face one of the more sobering realities of our time – data breaches. As the majority of transactions and personal data storage have moved online, data breaches have unfortunately increased in regularity and magnitude. The appropriate response from affected companies – from a PR perspective – however, has remained the same.
We’ll be taking a look back at a few of the biggest breaches of last year and analyzing how the affected company responded from a PR perspective. We considered the following factors:
- Speed of response – The sooner a company notifies affected customers the better, so that they can take steps to protect themselves.
- Company support – Did the company offer anything to help affected customers such as free identity theft monitoring?
- The official response – Transparency, honesty and helpfulness are all good chords to strike in an official company response. Even though some data breaches can’t be reasonably prevented, it is still a company’s responsibility to customers to own up to what happened, explain the situation and its impact, and try to solve the problem.
- The public reaction – The benefit of making this list in hindsight, is that we know how people actually reacted to the company’s PR response. Was it effective? How long was it in the news for? What did people have to say about it?
- What happened? An unauthorized third-party accessed customer, merchant and driver information back in May 2019. Around 4.9 million customers were affected, and stolen information included contact info, driver’s license numbers, and some fragmented financial information– although not enough to allow hackers to make fraudulent charges.
- The response: DoorDash released an in-depth blog a few weeks after they discovered the breach, detailing what happened, who was affected, what affected customers should do, and what the company is doing in response. The company also directly reached out to affected customers and suggested they change their passwords. The CEO also commented at the Wall Street Journal tech conference a few weeks later that there was negligible customer fallout from the breach, but that the company takes security very seriously.
- The reaction: There was widespread coverage in the days directly after the blog was released, largely reporting on the details provided in the blog. Several outlets also cited the company’s less than ideal handling of a different breach in 2018, but beyond that the media chatter focused predominantly on the details of the breach. The breach has not received much follow-up coverage since.
- The result: The blog and customer outreach were helpful but waiting to have the CEO comment for weeks until asked about it at a conference was a bit of a miss. The best breach responses come swiftly, and from the top. Ultimately, this breach may have benefitted from its relatively small scale compared to some that follow and hasn’t received too much recurring negative attention.
- What happened? Back in July 2019, data pertaining to credit card applications filed from 2005 and 2019 related to was accessed by an unauthorized party. This resulted in personal information, credit card data, Social Security and bank account numbers being accessed. The breach affected 100 million people in the US and 6 million in Canada.
- The response: The company released a statement via press release 20 days after initially discovering the breach. It shared details and announced that the responsible party had been arrested. The company also said they do not believe the stolen data was used for fraud or disseminated. The CEO was quoted in the release and committed to making it right for affected customers. The company also released an FAQ outlining all the key information and what they’re doing in response. They reached out to customers whose bank account and Social Security numbers were accessed directly and offered free credit monitoring and identity protection available to everyone affected.
- The reaction: Given the magnitude of the breach – one of the largest in US history – it was reported by pretty much every major US publication and often compared to the massive Equifax breach. The 20-day delay in notifying customers was a bit long, however it may have been tied to an FBI investigation which could justify it.
- The result: Overall, it’s too soon to tell what the final verdict will be reputation-wise, however, the initial response from the company was open and honest from the CEO, making this a decent PR response. Given its large scale, however, we may see more fallout in the future as the full legal and regulatory implications are found.
- What happened? In January 2019, Marriott announced that the data from 383 million guests, including passport and credit card numbers, had been stolen by hackers. The company had initially indicated that there may have been a breach affecting as many as 500 million guests in late 2018, and then conducted an investigation with a forensics and analytics team to determine the extent of the breach. In both instances, they shared a press release detailing the hack, which was one of the largest personal data breaches in history.
- The response: In both instances, the company shared a press release detailing the hack, which was one of the largest personal data breaches in history. The company set up a dedicated website and call centre to deal with customer questions about the release and also offered free credit monitoring to those affected.
- The reaction: Given the scale of the breach, it was covered widely by the media and compared to the Equifax breach. It also sparked debate about how the hospitality industry as a whole, deals with data security. A year later, and it is still garnering regular coverage as lawsuits and regulatory rulings resulting from the breach have come to fruition – further drawing negative attention.
- The result: The company should get some positive credit for alerting customers that there was potential breach before taking several months to complete an investigation – something that wasn’t done in some of the other major recent breaches – which allowed people to take steps to protect their identities sooner. The massive size of the breach and the lawsuits it has brought may ultimately make negative ramifications to the Marriott brand continue on for a long time, however.
As seen from these examples, a forthright and honest approach that puts the affected parties first is ultimately the best approach for brands facing a breach. Even that can’t always prevent negative fallout, especially when breaches affecting the sensitive data from hundreds of millions of customers are concerned. While the best solution for companies will always be to prevent breaches in the first place with better cybersecurity defences, they should still have a crisis PR plan in place and spokespeople prepared to comment in case the unthinkable occurs.
Talking TechComms: cybersecurity awareness month
Taking place every October, cybersecurity awareness month is a collaborative effort between government and industry to raise awareness about the importance of cybersecurity. It was started in 2004 by the USA’s Homeland Security, but has since been adopted by social media and IT security professionals around the world.
Awareness months such as this provide an opportunity for brands to engage a wider audience and use the topic as a springboard to boost their social reach. However, they have to be approached in the right way. With so many businesses competing for attention, just posting content for the sake of it isn’t going to have an impact.
In the latest episode of the Talking TechComms podcast, we spoke to London lorry Jacob Greenwood to get his insights into how businesses can successfully cut through the noise of Twitter awareness months. Check out what he had to say about formulating the right strategy, providing value for audiences and maintaining long-term momentum.
Why having shy customers doesn’t have to hinder your cyber-security marketing strategy
As we all know, the trusty customer case study is an important component of any PR or marketing campaign – no matter what the industry.
Case studies help businesses demonstrate how their product or service has been successfully implemented by customers. They provide an excellent proof point for a product’s value in a certain sector, and highlight how it can be used to address a specific business issue.
Instead of just talking about a product in theoretical terms, case studies allow brands to showcase practical applications. Most importantly, they help bring a (potentially dull) product to life by letting brands tell stories that are much more engaging than another self-serving press release.
However, not all industries have it easy where case studies are concerned. For example, finding customers willing to be used as case studies is notoriously difficult in the cyber-security space, primarily due to the sensitive nature of the topic.
So, how can brands use customers in their cyber-security marketing and PR strategies without placing them under the spotlight? Here are a few options.
Use their data, not their name
Virtually all modern cyber-security products collect a huge amount of data from the analysis of things like network traffic, device performance and employee activity. So, even if you can’t use a customer’s brand name, you might be able to use their data (with their permission, of course) to talk about what’s happening in the industry, or point to trends that align with your marketing messaging.
For example, a customer might have suffered a rare type of attack, or a variation of an existing threat that hasn’t been seen before. Or, multiple customers operating in the same industry might have suffered a similar attack within a short timeframe, suggesting that a specific type of company is being targeted.
This is all interesting data that could be used as part of a PR campaign addressing the wider threat landscape (think press briefings and speaking slots), or simply as a one-off piece of content like a blog or press release to showcase your expertise.
And the best part is that it can all be anonymised, so the customer in question doesn’t have to worry about its name appearing across cyber-security publications, blogs and social media feeds.
Remember, just because you can’t use a customer’s name, it doesn’t mean they can’t be useful in other ways.
Make the most of awards season
Another extremely effective way of showcasing and validating all the great work you’ve done with customers without publicly naming them is to enter into industry awards.
With competition in the sector continuing to intensify, industry awards provide a valuable opportunity to illustrate your cyber-security brand’s expertise. They also help to build credibility and authority, providing third-party endorsements that add weight to any PR or marketing strategy.
Winning (or even just being nominated for) an award from a respected industry body proves that your product really is as good as you say it is, which builds trust with both current and potential customers.
Most importantly, the finer details of the entry and the work you’ve completed with a customer can be kept private, so that they are only read by the judging panel. This enables customers to be used as part of your cyber-security marketing strategy, even if they are concerned about revealing business secrets to media.
Plus, who doesn’t enjoy a glass of prosecco and the inevitable shrimp cocktail that comes with attending an awards evening?
Finally, it’s always worth trying to convince any reluctant customers about the benefits of taking part in a case study. Just remember to keep the following tips in mind:
- Start off by targeting your happiest customers – i.e. those that you think will be the most likely to agree and that have previously been open to sharing their experiences of using your product or service.
- Highlight the mutual benefits – a case study doesn’t just have to benefit you, it can also be of value to the customer. For example, customer benefits could include increased visibility and the opportunity to show how they are now better able to serve their own customers.
- Offer incentives – when signing the client, why not offer a price reduction if they agree to provide a written or video case study about their experiences? Although you’ll have to make an initial sacrifice, this strategy could yield a greater financial return in the long run.
- Make the process as simple as possible – the less time and effort a customer has to put into writing and approving the case study, the more likely they will agree to it. Plan the process efficiently and don’t take up too much of their time.
Ultimately, it will always be tricky for cyber-security brands to find customers that are willing to be used as case studies. Cyber-security is a sensitive area, so many companies are understandably reluctant to talk about their experiences openly.
But, by thinking about how customer stories can be used in different ways – such as in award entries or through the collection of data – cyber-security brands can bolster their marketing strategies and get even more value out of their customer relationships.
Solving the internal communications gap
It seems we can’t go a single day without an unsuspecting Brit transferring every penny they own to a cyber-criminal. Whether it’s a fake millionaire on Tinder stealing $200,000, or a cyber-savvy team of investment charlatans convincing pensioners to part with their life’s savings, being a hacker really is a full-time job.
Unfortunately, it’s an even bleaker picture for businesses. Small businesses are the subject of repeated cyber-attacks, with almost 10,000 attacks happening every day according to the Federation of Small Businesses.
From a cyber-security marketing perspective, the widely documented cyber-security skills gap across the nation has forced vendors to push themselves to the limit to capture the attention of the b2b enterprise market. For any ambitious cyber-security start-up, it’s an obvious choice to get the PR machine up and running: but a not so obvious choice as to when, or how to position the company.
Perhaps most importantly, it can be hard to know how to come up with a PR strategy that pleases everyone internally. For example, the staff actually working on coding and developing the product will probably want to tell a different story to the less-technically savvy sales and marketing departments, which can result in a confused message and impact stakeholder buy-in.
Due to the competitive nature of funding and the reliance on pleasing investors and the unpredictability of product development, cyber-security marketing teams can often find themselves between a rock and a hard place when it comes to getting everyone on board internally with PR across the business. So how can it be done, and what should you consider?
- Involve your security developers from the get go in a way that makes sense. Broad, brush stroke marketing statements do not often sit well with people who’s job it is to be the devil in the detail. Think about how they can contribute to the overall vision in a way which plays to their strengths and is likely to generate external engagement. For example, developing comments to respond to breaking news of cyber-security breaches, specifically how they could have been prevented, is a good way to showcase technical expertise and be useful to journalists.
- Find out what the investors and board members are looking for. Investors can often instigate a PR agenda by saying things like “We’d like to be in the Financial Times” or “XYZ is on the BBC, why aren’t we?” There needs to be a level of education on how to go from zero to hero, and a decent tech PR agency should be able to craft a plan to get there to keep those holding the purse strings on side. Managing expectations with an evidence-based strategy will be important in building momentum.
- Decide how PR will support sales. PR budgets can often be limited, which means it’s crucial to nail down what you want from activity. Driving sales, or lead generation can be a good way to focus PR content creation on the buyer audiences’ trade titles, and tools such as paid-for targeting on social media can stretch this content even further. But time spent on brand awareness in higher tier publications can also be reusable for sales meeting and funding pitches, so it’s crucial to decide early on where you want to focus your budget and the PR effort.
In traditional b2b tech PR, we often let customers do the talking on vendors’ behalf – as there is no greater validation than a happy customer. But we know this is not always possible in the security space, which means a renewed effort needs to be made elsewhere.
Crucially, the approach needs to be agreed internally to generate buy-in across the entire organization. If some kind of consensus can be agreed upon at the start of a campaign, it will allow you to put your best foot forward and use a PR agency in the most efficient way.
Why clarity in external cyber-security messaging is key
From phishing and worms, to SIM Swap fraud and trojan horses, the cyber-security industry is filled with enough buzzwords and jargon to make your head spin. When you add in all the acronyms (IoT, BYOD, DLP, SIEM…), trying to navigate the world of cyber-security messaging can feel like peering through murky waters.
At the same time, cyber-security is now a top priority for businesses, as a security breach can have huge financial and reputational ramifications. Consumers are also becoming more cyber-security conscious, as conversations around breaches and data privacy regularly hit mainstream headlines.
For cyber-security companies, it can be easy to forget that not everyone is as immersed in the industry, or as familiar with the language, which is why it’s important that external messaging is jargon free and easy to understand.
Here are three reasons why clarity in your cyber-security messaging is key:
Our attention spans are getting shorter
The internet is awash with stats about our decreasing attention spans. As recently as June this year, a major study from academics at Oxford, King’s College London, Harvard and Western Sydney University found that using the internet is physically changing our brains, making our attention spans shorter and our memory worse.
In the digital age, we’re all constantly bombarded with stimuli. As content of all varieties becomes increasingly abundant, the human attention is pulled in every which direction, so should be treated as a scarce commodity.
For this reason, cyber-security messaging has to be as easy to understand as possible. People don’t have the time to try and decipher acronyms or unnecessarily technical language, so cut to the point and keep it simple. Whenever someone clicks off your content, you’ve missed an opportunity to create a connection, which is especially frustrating when it can be easily avoided!
Your audience is bigger than you think
Many companies can tell you in a heartbeat who their target audience is, whether that’s the CIO, CTO, senior decision makers, or “the person who manages the budget”.
But your audience is usually bigger than your sales prospects. What about the panicked CEO whose business has just been hacked? A journalist who’s researching for an article? Someone who’s gone down a rabbit hole and stumbled across one of your blogs?
All of these people will have a different level of understanding about what you do and the industry you’re operating in. Therefore it’s good to tailor your content so the messaging is appropriate for the relevant audiences. A news-hijacking comment delivered to mainstream media should have a different tone to a whitepaper for prospects, for instance.
At the end of the day, if your messaging is confusing and hard to understand, people are more likely to click away from your content and head to a competitor.
There’s too much at stake
Cyber-criminals are becoming more savvy, breaches are a regular occurrence, and enterprise and consumer data is under constant threat. As such, it’s never been more important for people to have a basic understanding of cyber-security.
Everyone in the industry—from security analysts, to CIOs, to journalists—has a responsibility to ensure they’re educating people on threats to look out for, and steps people can take to ensure hackers aren’t given the upper-hand. Jargon-free, easy to understand messaging is essential to this education process.
Other quick tips for improving your messaging include:
- Using analogies to explain complex topics
- Backing up your points with real-world examples
- Use diagrams and videos to make concepts easier to digest
It’s no secret that cyber-security is fast becoming one of the most important issues for businesses and consumers, meaning clarity of messaging has never been so essential. After all, why should people take your advice or buy your product if they can’t understand even what you’re saying?
If you need help developing jargon-free messaging for your cyber-security company, get in touch!
Cyber-security marketing: Building out a spokesperson matrix
For cyber-security brands, strength and depth are equally important when it comes to building out a spokesperson matrix.
As the public faces of the company, spokespeople are central to defining a brand’s voice and public perception. For this reason, selecting precisely who to put in front of press is a decision well worth taking time over.
Building out a spokesperson matrix is all about balance – between technical and non-technical expertise, too many voices and too few, individuals with passion and those with poise.
It’s also important to assess each opportunity as it comes, and ensure the best equipped and most suitable spokesperson is selected for the specific instance.
With all this in mind, here are a few key considerations for any cyber-security brand looking to build an industry-leading spokesperson line-up.
Variety is the spice of life
For many cyber-security marketers, the temptation can be to lean on a single individual for all press opportunities. Start-ups and scale-ups in particular tend to rely on the founder or CEO to spread the company word.
This inclination is perfectly natural. After all, it’s logical that the most high-profile member of an organisation should be at the heart of its PR efforts. It’s also true that press are interested in speaking with decision makers, which means founders and CEOs are sensible candidates.
However, the range of discussions that take place within the cyber-security industry – from security and compliance, to the technology, to the human right to privacy – means it’s important for brands to provide varied, credible perspectives. Relying on one spokesperson alone for all press opportunities can bring about difficulties further down the line.
If journalists only ever hear from one individual, they can become reliant on that person and unwilling to hear from anyone else within the organisation. After all, if they’ve enjoyed unchecked access to the CEO in the early stages of the organisation’s development, why should they be persuaded to engage with anyone else?
Relying on a single spokesperson is also to neglect the depth of talent and expertise across a cyber-security business. Raising the profile of a variety of spokespeople from different areas of the business – technical, analytical and high-level – allows a cyber-security brand to paint a more complete and coherent picture of the challenges it is seeking to address.
However, there is one exception to the rule: broadly, journalists don’t want to hear from sales personnel. No matter how articulate, charismatic or credible the salesperson, the title triggers a suspicion that’s difficult to move beyond.