Frank TortoriciFrank Tortorici

The recent debacle surrounding the hacking of credit reporting bureau Equifax, which exposed millions of customers’ proprietary and contact information, is just further evidence that cybersecurity issues are not going away and will remain at the forefront of international business concerns.

One cybersecurity matter very rarely examined, however, is how corporate communications firms, often charged with aiding and buttressing other businesses’ corporate reputations, handle a situation that imperils their own online data and programs.

O'Dwyer's Nov. '17 Technology PR MagazineThis article is featured in O'Dwyer's Nov. '17 Technology PR Magazine

Communications firms and public relations agencies are often the experts people turn to in any matter of crisis and they are the purveyors of plans and programs designed to protect companies in times of struggle and disaster.

What happens when one of them is hacked?

PR agencies generally have a more-than-usual amount of sensitive information, because they have their own proprietary data, as well as reams of private material from a number of clients. Along with data loss, many organizations fear the reputational damages that they would incur as the result of a cyberattack. Case in point: Equifax.

Agencies that handle crisis communications are typically part of the process when responding to a cyberattack. Nation-state adversaries that want to control the narrative may specifically target such agencies precisely to meet that objective — controlling the narrative or to obtain information that could be otherwise damning.

“Everyone should be concerned with protecting employee, client, and company data including financial details — that goes without saying,” said James Taliento, CEO and Founder of Cursive Security, a Long Island-based cybersecurity solutions company. “But PR is all about the communication and the content. Unfortunately, they would be an ideal attack point for a disruptor aiming to harm as many individuals and companies as possible.”

Taliento believes that the top attack vectors would include those communication channels such as email, phone or messaging. Other areas of interest would be where sensitive information is being stored. Media outlets generally use highly accessible services to transfer such information: specifically, file storage services like DropBox, Drive and Box. Convenience is a necessity, but that information must be safeguarded to prevent further crisis to clients.

Global Ransomware attacks in June affected some communication companies, including British advertising agency WPP. Expert hackers know that going after a PR, marketing communications or advertising firm will likely bear them a treasure trove of private data.

Since many communications firms take pride in crisis preparations programs for clients, it makes sense that they should bulk up security themselves for all the client data they possess. Yes, one must always remember that any information stored on a computer doesn’t belong to you simply because you entered it.

According to anti-malware company Malwarebytes, there are many steps that firms can take to safeguard information and communications firms especially should take heed of these.

The first is to constantly update your OS and other software so that hackers can’t take advantage of outdated safeguards in your security programs. PR firms should invest in even more sophisticated technology such as Malwarebytes Anti-Exploit.

It also goes without saying that you should rid all traces from any devices you sell or discard. One tip that is often ignored is to not use open Wi-Fi, which is easily accessible to most hackers. The best way to do this is to use an encrypted password.

Some more obvious solutions are to create difficult passwords which you should change frequently and lock devices and make timeouts fairly short. Several services offer two-factor authentication which makes hacking much more difficult.

Also, be sure not to link accounts. If you work for a PR firm, be especially sure that you don’t comment on a social media site using your personal Facebook or Twitter when you’re speaking for the company or on client matters.

And although storing things on the cloud is convenient, keep client sensitive information off the cloud. Be sure to log activity for clients on private servers to which only trusted company personnel have access.

A question that has been floated around more than once in the cybersecurity industry is whether PR agencies and communication firms are indeed targeted more than other companies by hackers. It’s difficult to say this categorically, but such attacks are rising.

Who is targeting communications and PR companies on the internet and why is it becoming more common? To answer this question, according to Matti Kon, CEO of New York-based cyber-security solutions firm InfoTech, it’s important to understand that cyber-attacks are divided into two major categories:

Random attacks

Random attacks are usually performed by a malware that’s not prejudiced; it doesn’t care if you’re a major business or a small store, or whether you’re a PR company or a hospital. If an everyday average form of malware makes its way into your system it will destroy anything it can. Everyday malware has flooded its way throughout the Internet and can automatically replicate itself and continue to spread by compromised systems. This is also applicable to Ransomware, which is a specific type of malware that will hold your organization ransom for payments, which you either make or your data will be published/stolen/destroyed, etc.

Specifically-targeted attacks

In these cases, the PR or communications company is targeted by an entity who would like to penetrate the system and get information about clients, projects or bank account information. These aren’t random attacks, but are probably the result of individuals using the Internet and weaknesses in your systems in order to penetrate your organizational information and steal it, perhaps to get ahead of their competition.

These are similar in nature to the cases in which the Russians are blamed for compromising the American electoral system during the last election. This is targeted criminal activity.

A PR company, although probably holding more sensitive information than other types of businesses, has to safeguard its interest on the Internet just like any other company. Whether it has to protect itself from a random attack or from a targeted attack, every communications and PR company should employ a dense, strong cyber security footprint, and train its employees regularly as cybersecurity should be a top priority. Kon says that it’s highly recommended to have somebody on staff that is proactive in protecting the company from cyber threats. But if the company cannot afford a full-time person to monitor its systems, it should retain a cybersecurity technology organization that would be responsible for protecting its footprint. This concern should report directly to the senior management of the communication/PR company because its success can literally save the firm from dissolution caused by clever and insidious hacking.


Frank Tortorici leads Marketing Maven’s business and professional services practice out of their NYC office. He can be reached at