2019 was a landmark year for those who work in cybersecurity PR, and not in a good way.
Many organizations fell victim to breaches, hacks and leaks—at an average cost per incident of nearly $4 billion. From Capital One and Facebook, to the AMCA, Georgia Tech and more—each shows that no sector is off-limits to attack by bad actors.
A varied threat landscape has driven extensive cybersecurity media coverage. Although data breaches, ransomware and malware attacks are among the most common cybersecurity vulnerabilities, 2020 brings additional issues that will warrant increased exposure. They include attacks by foreign actors, insider threats, the growing cybersecurity skills shortage, AI-enabled attacks and the consequences of businesses’ migration to cloud infrastructures.
Each is relevant fodder for PR teams looking to tap their clients’ expertise. Reactively, pros will have to look for a way to position execs (CISOs, CIOs, CROs, research teams) to talk about how these trends compound a much larger issue—that most organizations aren’t equipped to mitigate cyberattacks from multiple avenues at once. Regardless of how well prepared a company might be to deal with an incident, breaches and attacks will happen—so advance PR prep is also in order.
What should PR pros anticipate within cybersecurity landscape in the next year? Here are the top trends—based on client conversations, journalist insight and industry expertise—that’ll give teams the edge, along with a warning for cybersecurity communicators:
Cyberattacks on industries outside the tech sector will see more exposure
Today, every company is a technology company. Major retailers’ e-commerce platforms are booming. Financial services companies are getting into cryptocurrencies and have invested heavily in mobile experiences.
The health care and insurance industries—notorious for being slower to adapt to emerging tech—are in the throes of digital transformation initiatives involving cloud migration and AI. Everything is connected, which means every industry is vulnerable in some way.
In 2020, cybersecurity PR pros should be well versed in how the threat landscape can affect many different business sectors at once and at any given time. PR teams must stay up to date on multiple verticals outside of pure tech—especially those most frequently targeted by cyberattacks, such as health care, financial services, government, and energy. That way they’ll be prepared for newsjacking opportunities in the event of a hack and can keep clients apprised of news and generally be more effective at meeting industry trends and client needs.
Following new publications and key reporters in important verticals on Twitter, setting the right Google alerts and generally being vigilant through research each day will help PR pros advance client thought leadership.
The internet of things’ vulnerability will take center stage
The internet of things (IoT) has been a tech obsession for much of the last 10 years. However, as IoT capabilities and connectivity have evolved, so have the vulnerabilities that put consumers at risk. 2019 alone has seen a spike in reports that show how easy it is to hack smart speakers.
Coverage highlighted vulnerability and negligent security practices surrounding Amazon’s Ring cameras—in which hackers gained entry and terrorized users through their own devices—and saw the FBI warning people that smart TVs can be compromised and used by bad actors to listen and watch them without their knowledge.
Especially in the wake of the incredible Ring coverage from the likes of Motherboard, Gizmodo, The Verge and others, cybersecurity PR teams should brace themselves for IoT debate to rage on in 2020. As the possibilities of the connected world expand, companies should monitor consumer data and implementing internal security protocols to protect customers, like two-factor authentication out of the box (rather than blaming users).
For PR teams, these events have a silver lining and open up opportunities for positioning cybersecurity execs as experts. Pros should have commentary in place for proactive/reactive outreach opportunities speaking on the larger impact of these events on consumer trust. Finally, they can use the trend as a fresh reason to offer best practices for consumers to protect themselves as threats proliferate.
Cybersecurity workforce shortage grows
Despite a constantly changing tech landscape and increased connectivity between people and devices, the cybersecurity space is notably short on qualified talent. Demand for talent isn’t showing any signs of slowing—the Bureau of Labor Statistics projected a 32% rise in available positions for information security analysts from 2018 to 2028.
More than half (53%) of IT pros, however, have said they lack the security knowledge to safeguard the organizations they work for. If this trend continues and the need for skilled cybersecurity experts keeps surpassing their availability, industries worldwide could see greater losses in revenue and consumer trust. The talent shortage could also be a significant contributing factor for a greater frequency in breaches, hacks and leaks in 2020.
The cybersecurity talent gap isn’t going to close overnight, so PR teams should take advantage of the attention the issue demands. Proactive and reactive commentary strategies, as well as bylines positioning cybersecurity clients’ expertise on how to solve the problem in the long term, will further thought leadership.
Additionally, highlighting ways businesses can circumvent a lack of talent internally (like investing in AI and contracting with third-party cybersecurity vendors) or how they should improve their own hiring practices (better training and sourcing, for example) will make for strong story angles to address the issue in the new year.
Attribution announcements must be clear and credible
When an attack happens, security providers and others often clamor to publicly identify the attack and its source. There’s a natural incentive for us to make such announcements to show leadership and expertise.
There’s a risk that misinformation may grow in 2020. In the event of an attack by foreign state actors, our government often doesn’t want to identify the culprits, even when it knows who they are. It often leaves that to cybersecurity companies in order to guard the intelligence sources or methods used to track down bad actors.
The problem is that as foreign-government-backed attacks proliferate, security companies or hack victims may be tempted to blame foreign actors even when they’re not involved. Foreign hackers themselves may even claim responsibility when it’s not due.
This situation is more likely following the U.S. airstrike on Iran, amid widespread speculation that Iran could retaliate through cyberattacks. It’s important for communicators to make any attribution claims or assessment in a rigorous way, based on solid information. The last thing we need is a credibility crisis in cybersecurity communications.
A version of this post first appeared on the Crenshaw Communications blog.