Shortly after it became apparent that COVID-19 would impact businesses for the long haul, Nathan Burke, CMO of the fast-growing cybersecurity startup Axonious, spearheaded the launch of CybersecurityCares.org, an online destination with the stated purpose of “sharing useful information based on this new reality.” The website currently hosts resources for businesses to consume coronavirus cybersecurity news, provides links to vendors offering free tools and shares a list of useful online events and work-from-home best practices.
Also in response to the pandemic, over 400 leading cybersecurity professionals from around the world formed the COVID-19 Cyber Threat Intelligence Group to proactively defend healthcare facilities and providers from the influx of coronavirus-driven cyberattacks.
While it is unknown how successful either organization has been to date, each group’s efforts should be celebrated. As adversaries have accelerated their attempts to exploit the pandemic (cybersecurity researchers estimate a 300-600% increase in phishing attacks since COVID-19 began), these unpaid volunteers have sacrificed time and resources to help healthcare systems, businesses and government agencies reduce cyber risk via education, preparation and deterrence.
The genuine commitment to the greater good has been refreshing to see, especially when considering that cybersecurity marketing and PR isn’t regularly associated with authenticity.
Do pandemic-era cybersecurity PR initiatives pass the media’s sniff test?
If you follow cybersecurity, then you may know that, because of a more than a few “bad apples,” this highly competitive and rapidly growing industry has developed a reputation for:
- Over promoting fear, uncertainty and doubt (FUD) in marketing efforts
- Inauthentically engaging journalists following hacks and breaches
- Aggressively pursuing prospective buyers, especially CISOs
Over the past six weeks, seemingly thousands of cybersecurity companies across domains have entered into the COVID-19 news cycle either by offering some type of free product or service promotion, or in response to the recent proliferation of phishing threats. While cyber companies, in particular startups, often connect their marketing efforts to current events and the news cycle, the COVID-19 led marketing pivot has been both swifter and more universal than what is normal. Perhaps that’s unsurprising when considering the depth and breadth of the pandemic’s impact.
Recently, I’ve been pondering how the cybersecurity industry’s response to COVID-19 is being perceived. Are the actions being viewed as authentic and genuine? Or, has the industry’s reputation, whether deserved or not, prompted cynicism and speculation surrounding each company’s true motivations?
To help discern, I reached out to the people who hear from infosec companies frequently – journalists – and posed three questions to each of them.
Here is what these cybersecurity reporters had to say:
Question: Seemingly hundreds of cybersecurity companies are offering some sort of free promotion of their product during COVID. Do you think this is a genuine effort for the most part or do you think marketers are simply trying to gain an upper hand in this highly competitive industry?
- Sara Peters, Senior Editor, Dark Reading – “I think it’s a bit from column A and a bit from column B. Some companies might just be doing free giveaways, but others seem to be making a genuine effort to create much-needed resources and make them as widely available as possible. The security industry makes a lot of money, but at its heart, there’s still a lot of grassroots spirit and DIY engineering.”
- Dan Raywood, Deputy Editor, Infosecurity Magazine – “I do think it [the product promotions] is a genuine offer, my only concern is that this is effectively a corporate version of the “free trial” and when the free offer comes to an end, vendors are going to pressing companies to pay for the service.”
- Eduard Kovacs, Contributing Editor, Security Week – “Mostly marketing, but there are some genuine efforts. We’ve published an article with a list of free tools offered now and included half of the tools’ companies have told us about.”
- David Strom, Freelance Reporter – “It is far from genuine. Offers of a free 30 day trial on some SaaS products are pretty much standard pre-Covid. How about a year’s free service? Try a bit more sincerity here.”
- Paul Roberts, Publisher & Editor-in-Chief, Security Ledger – “A bit of both. Cyber is a crowded and intensely competitive marketplace dominated by small providers desperate for market share. Any major news event with a plausible “cyber” angle (including The Super Bowl) usually sees infosec firms clamoring for a piece of the news cycle. COVID is the biggest news event since 9/11, so the response has been proportional in that way. And it’s a pandemic – altruism is the spirit of the moment and so these free offerings are in keeping with that. It’s good business also. Security products tend to be sticky. Customers who take advantage of the free offering may find they want to hold onto the product once the pandemic has passed and the goodwill offering is withdrawn.”
Question: The emergence of COVID-themed phishing attacks is incredible, with estimates suggesting a total increase in attacks of ~600% in the past month. How do you think the industry has done in communicating the increased threats to the public? Too much FUD or have they hit the right note?
- Sara Peters – “I don’t think there’s been any more FUD than at any other time. But the information about the threats might be received differently. What I mean is that, most of the time we’re all very concerned about those attacks on confidentiality. But right now, availability is our bigger concern. The possibility of a data breach through an insecure conferencing program seems less important when we’re faced with these more immediate realities – complete upheaval of mission-critical business functions, layoffs, bankruptcy, death.”
- Dan Raywood – “I think the response has also been fair, we’ve not seen anything new or different in terms of phishing – it’s often the case that attackers use a trending topic – a sporting event for example – and leverage that for social media or email-based malware. In this case, it’s just them using a global trend.”
- Eduard Kovacs – “The industry has communicated well, but people will still fall for phishing attacks no matter how much you tell them to be careful.”
- Anonymous, Editor-in-Chief, Global Cybersecurity Publication – “Every single time there’s a big event, cybercrime follows. With such a global event, it was only natural for phishing exploiting it to increase. Communication from the PR side has been the same as always: unclear, untargeted and generally poor.”
- Paul Roberts – “As you said: the threat is real and, I think, the nature of COVID – which creates so much anxiety and about which so little is known – probably does make these phishing attacks more potent than your run of the mill ‘FEDEX tracking number’ phishes and stuff like that. I think the reporting on the COVID cyber scams has been appropriate and not sensational, for the most part. From where I sit as a cyber security journalist, it is a cacophony of COVID related news pitches. Most are white noise, some are interesting enough to warrant a follow up.”
Question: Is there any company(s) that stands out to you as having met the moment appropriately with marketing/PR in the past couple of weeks? And if so, why?
- Sara Peters – “I actually think that in general everyone’s doing a surprisingly good job. It’s clearly been difficult deciding when to pitch something that is NOT related to COVID, and whether or not to apologize for the fact that it isn’t. I appreciate the efforts everyone is making to strike the right balance.”
- David Strom – “I think it is hard to break through. Our TV is filled with ads that all have COVID themes, even subtle ones. It is getting tiresome. Perhaps leave it alone for a bit.”
- Paul Roberts – “I can’t think of any COVID themed PR pitch that I found out of bounds or offensive. I’ve been doing this a long time. I expect cybersecurity firms and their in-house or outside PR agencies to bend news events to fit their marketing/product message. That’s pretty much what I’ve seen with COVID so: business as usual.”
- Dan Raywood – “No one really stands out, but overall we’ve not seen anything being too dramatic and most people act responsibly.”
Unsurprisingly, journalists appear to have mixed feelings about cybersecurity’s PR and marketing reaction to COVID-19. While some believe that the marketing messages and rapid responses are predicated on good-faith, others are a bit more skeptical.
Cybersecurity PR deserves the benefit of the doubt, for now
As someone whose realism can sometimes more closely mirror pessimism, my initial reaction was that far too many of the cybersecurity public relations activities weren’t genuine. However, as I watched IRONSCALES, an ARPR email security client closely, and heard them talk rather passionately about why they choose to react to COVID-19 the way that they did, I started wondering whether or not I was being too rigid in thought and just defaulting to assuming the worst.
Truth is, there will always be companies – in cybersecurity and beyond – that attempt to capitalize on current events in misguided ways. And as ugly as coronavirus has been, there have been so many inspiring stories of businesses stepping up to the plate to help those in need.