If you work in PR, you probably have a list of responsibilities to prioritize.
As you focus on developing messaging and pitching stories to journalists, one item probably ranks pretty low, if it makes your priorities list at all: security.
Security isn’t an insanely sexy topic, but it is an incredibly important one. As a PR professional, you need to care about, and be aware of important security measures to protect your company’s or client’s data. After all, PR professionals often have access to important files like drafts of press releases yet to be distributed or spreadsheets with sensitive information on company financials.
As the world has become more digital, the stakes for what hacking and phishing (when a scammer uses fraudulent emails, texts, or copycat websites to get you to share valuable personal information) can do to an individual or organization are higher than ever.
A PR security nightmare
Just last month, The Verge published an article about how an international hacker network turned stolen press releases into $100 million .
Still think security doesn’t impact PR pros? Think again.
The article states:
At a Kiev nightclub in the spring of 2012, 24-year-old Ivan Turchynov made a fateful drunken boast to some fellow hackers. For years, Turchynov said, he’d been hacking unpublished press releases from business newswires and selling them, via Moscow-based middlemen, to stock traders for a cut of the sizable profits…From the beginning of 2012 onward, the three newswires — Business Wire, PR Newswire, and Marketwired— were endlessly patching holes and uninstalling malware in an effort to block the hackers’ access, court documents show. Askari Foy, a cybersecurity expert formerly with the SEC, explained that it would be standard practice for one of these firms to contact the FBI to launch a criminal investigation, which would give authorities access to their systems for forensic analysis.
The piece explains that over a period of at least five years, three US newswires were hacked, leaving private company information vulnerable. (Another reason to question the use of newswires.)
More than ever, security is a pressing issue all communicators must become well-versed in.
Tips for making yourself (or your company) more secure
To beef up your security, make sure you take these eight steps:
1. Encrypt your hard drive.
Hard-drive encryption is a technology that encrypts the data stored on a hard drive using sophisticated mathematical functions. Data on an encrypted hard drive cannot be read by anyone who does not have access to the appropriate key or password.
Consider this: What if someone broke into your office and stole a laptop? If the laptop’s hard drive was encrypted, you’d be in the clear, knowing the data and files on the machine are safe. If not, that could lead to a major crisis.
2. Disable automatic login on your laptop.
While it may be tempting (and a time-saver) to go sans a password on your laptop, it’s not a wise choice.
On your laptop, disable automatic login, require a password when waking from sleep, and set the computer to automatically lock after a certain amount of time (we recommend under10 minutes). Check out these instructions to disable automatic login.
3. Use lock codes on your smartphones and tablets.
Along the same lines as disabling automatic login on your laptop, be sure your smartphone or tablet has a lock code, fingerprint or face ID, as well.
Even if you primarily use your device for personal use, inevitably you’ll check your work email, log into Slack or connect to Dropbox. A smartphone or tablet needs to be treated with as much respect as your laptop.
On both your laptop and smartphone, make sure your devices can be wiped remotely should your equipment be stolen.
4. Create strong, unique passwords—and never reuse them.
Creating strong passwords can go a long way in protecting your privacy. Here are some basic tips for creating strong passwords:
- Use a password manager like 1Password, LastPass or Keeper. Default to the “characters” option, set the length for at least 30 characters unless a site limits you to fewer, and set it to include digits and symbols. Password managers should be used both on your laptop/desktop and your phone, and the new iOS 12 works well with password managers so you don’t have to copy and paste the passwords yourself.
- If you need a password that’s possible to memorize and type, use the “words” option in the password generator and choose a password of a series of 4+ randomly selected words.
- Don’t choose something guessable to be your password. When we say guessable, we’re talking about guessable by computers, which can try millions of combinations quickly. This could include any word in any language, any personally identifiable information about you or any other person’s name, phone number, address, birthday, etc., 12345 and especially, any password you’ve used on any other site, ever.
5. Turn on two-factor authentication via an authenticator app or mobile.
With two-factor authentication, if someone does choose a weak password or a service gets hacked, there’s always another checkpoint to make sure it’s really that person who wants to log in.
Two-factor authentication means you can’t log in without having access to your cell phone for a login code, so someone who gets hold of your login and password also needs to get hold of your phone to login.
Whenever a site gives you a choice, use an authenticator app (such as Google Authenticator or Authy) over text messages. The former is more secure. Hackers have been known to use social engineering to convince wireless providers to redirect text messages to their own phones.
6. Make sure your vendors are secure.
Do you work with external vendors? Just like you want to make sure your company is taking proper security measures, you’ll want to check that the vendors you work with are too.
Here are 10 important questions to ask the vendors you work with:
- Do you have two-factor authentication for this service?
- Do you have unique user accounts to access team tools? Does your organization use multi-factor authentication for remote access?
- What are your password standards?
- Do you encrypt customer information in-transit, and at rest?
- Do you have a data retention/archiving policy?
- Are access logs, system logs, audit logs and alerts for unusual usage or failures etc. all turned on?
- Are significant security events logged (successful log-on, log-off and unsuccessful authentication attempts)?
- Are firewalls used to control access into and out of the internal network where our data is accessed, processed or stored?
- Does your company have formal written policies and procedures for both privacy and security, approved by management and published and communicated as appropriate to all employees?
- Is there an individual designated within your organization that is responsible for information security?
7. Be alert.
Always be alert—and keep your eyes peeled for suspicious activity.
For example, if you receive an official-looking email from Facebook that links to a site to type in your password, recognize this right away as a possible phishing scam. Facebook will never ask you for your password via a link in an email, and emails can easily be faked to trick consumers as to who’s sending them.
If you think someone might be phishing you, it’s safer to navigate to the site yourself to ensure you’re putting your password in a safe space.
Similarly, be on the lookout for instances of social engineering, “the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques.”
Social engineering can impact any company. Just consider this example of a Tesla Model 3 stolen from the Mall of America using only a smartphone:
The person allegedly responsible for taking the car is believed to have reached out to Tesla’s customer support to add the stolen Model 3 to his Tesla account by its vehicle identification number. Once the vehicle was accessible on a smartphone that was signed into this person’s account, he was reportedly able to unlock the car and drive away without ever needing a key.
8. If you think you’ve been hacked, say something.
If you ever know—or even just suspect—that security has been violated, that you’ve been the victim of a phishing attack or scam, or that you’ve given out your password by mistake, let someone at your company know ASAP.
The company needs to know immediately when there’s any security issues to address them quickly and head-on.
When was the last time you reviewed your team’s security plan?
Gregory Galant is the cofounder and CEO of Muck Rack, a digital PR and journalism platform. A version of this article originally appeared on Muck Rack, a service that enables you to find journalists to pitch, build media lists, get press alerts and create coverage reports with social media data.