2019 was a landmark year for those who work in cybersecurity PR, and not in a good way. Many organizations fell victim to breaches, hacks and leaks — at an average cost per incident of nearly $4 billion.
From Capital One and Facebook, to the AMCA, Georgia Tech and more — each shows that no sector is off-limits to attack by bad actors. A varied threat landscape has driven extensive cybersec media coverage. And while data breaches, ransomware and malware attacks are among the “normal” cybersec vulnerabilities, 2020 brings additional issues that will warrant increased exposure. They include attacks by foreign actors, insider threats, the growing cybersecurity skills shortage, AI-enabled attacks and the consequences of business’ migration to cloud infrastructures.
Each is relevant fodder for PR teams looking to take advantage of their clients’ expertise as thought leaders. Reactively, pros will have to look for a way to position execs (CISOs, CIOs, CROs, research teams) to talk about how these trends compound a much larger issue — that most organizations aren’t equipped to mitigate cyberattacks from multiple avenues at once. And regardless of how well prepared a company may be to deal with an incident, breaches and attacks will happen – so advance PR prep is also in order.
What should PR pros anticipate within cybersecurity landscape in the next year? Here are the top trends — based on client conversations, journalist insight and industry expertise — that’ll give teams the edge, along with a warning for cybersec communicators.
Cyber attacks on industries outside of “tech” will see more exposure
Today, every company is a technology company. Major retailers’ e-commerce platforms are booming. Financial services companies are getting into cryptocurrencies and have invested heavily in mobile experiences. The healthcare and insurance industries — notorious for being slower to adapt to emerging tech — are in the throes of digital transformation initiatives involving cloud migration and AI. Everything is connected, which means every industry is vulnerable in some way. In 2020, cybersecurity PR pros should be well versed in how the threat landscape can affect many different business sectors at once and at any given time. By staying up-to-date on multiple verticals outside of pure ‘tech’ – especially those most frequently targeted by cyber attacks like healthcare, financial services, government, and energy — PR teams can ensure they’re prepared to take advantage of newsjacking opportunities in the event of a hack, keep their clients apprised of the latest news and generally be more effective at meeting industry trends and client needs.
Following new publications and key reporters in important verticals on Twitter, setting the right Google alerts and generally being vigilant through research each day will help PR pros advance client thought leadership.
IoT’s vulnerability will take center stage
The internet of things has been a tech obsession for the better part of the last ten years. However, as IoT capabilities and connectivity have evolved, so have the vulnerabilities that put consumers at risk. 2019 alone has seen a spike in reports that show how easy it is to hack smart speakers. Coverage highlighted vulnerability and negligent security practices surrounding Amazon’s Ring cameras — where hackers gained entry and terrorized users through their own devices — and saw the FBI warning people that smart TVs can be compromised and used by bad actors to listen and watch them without their knowledge.
Especially in the wake of the incredible Ring coverage from the likes of Motherboard, Gizmodo, The Verge and others, cybersecurity PR teams should brace themselves for IoT debate to rage on in 2020. As the possibilities of the connected world expand, companies should be monitoring consumer data and implementing internal security protocols to protect customers, like 2FA out of the box (rather than blaming users).
For PR teams, these events have a silver lining and open up new opportunities for positioning cybersecurity execs as experts. Pros should have commentary in place for proactive/reactive outreach opportunities speaking on the larger impact of these events on consumer trust. Finally, they can use the trend as a fresh reason to offer best practices for consumers to protect themselves as threats proliferate.
Cybersec workforce shortage grows
Despite a constantly changing tech landscape and increased connectivity between people and devices, the cybersecurity space is notably short on qualified talent. Demand for talent isn’t showing any signs of slowing — the Bureau of Labor Statistics projected a 32% rise in available positions for infosec analysts between 2018 and 2028. Fifty-three percent of IT pros, however, have said they lack the security knowledge to safeguard the organizations they work for. If this trend continues and the need for skilled cybersec experts keeps surpassing their availability, industries around the globe could potentially see greater losses in revenue and consumer trust. The talent shortage could also be a significant contributing factor for a greater frequency in breaches, hacks and leaks in 2020.
The cybersecurity talent gap isn’t going to close overnight, so PR teams should take advantage of the attention the issue commands. Proactive and reactive commentary strategies, as well as bylines positioning cybersec clients’ expertise on how to solve the problem in the long term will further thought leadership. Additionally, highlighting ways businesses can circumvent a lack of talent internally (like investing in AI and contracting with third-party cybersecurity vendors) or how they should evolve their own hiring practices (better training and sourcing, for example) will make for strong story angles to address the issue in the new year.
Attribution announcements must be clear and credible
When an attack happens, security providers and others often clamor to publicly identify the attack and its source. There’s a natural incentive for us to make such announcements to show leadership and expertise. But there’s a risk of misinformation that may grow in 2020. In the event of an attack by foreign state actors, our government often doesn’t want to identify the culprits, even when it knows who they are. It often leaves that to cybersec companies in order to guard the intelligence sources or methods used to track down bad actors.
The problem is that as foreign-government-backed attacks proliferate, security companies or hack victims may by tempted to blame foreign actors even when they’re not involved. Foreign hackers themselves may even claim credit where it’s not due. This situation is more likely following the U.S. airstrike on Iran, amid widespread speculation that Iran could retaliate through cyber attacks. It’s important for communicators to make any attribution claims or assessment in a rigorous way, based on quality information. The last thing we need is a credibility crisis in cybesec communications.