When it Comes to Cyber Security, A Step Ahead is a Step Out of Harm’s Way

By Laurence Minsky, Ben DiSanti, & Joseph Carson

Marketing in the digital arena is one great balancing act. On one hand is the need for data, including customer personal data to create a customised product experience, and on the other is the looming invisible threat of data breach and cyber attacks. In this article, the authors elaborate on and provide crucial measures to ensure that you’re a few steps ahead in cyber security and a great deal out of harm’s way.


Cyber security is a lot like the famous story of two campers and a bear.1 In it, the two campers see a bear approaching them. One of the campers drops down and reaches for his shoes. The other one starts running, shouting back, “What are you doing? You can’t outrun the bear.” “I don’t need to outrun the bear,” replies the one putting on his shoes. I just need to outrun you.” In other words, having a slightly better cyber security system than others – and the cues that let people know that the system is in place – can often be the best strategy for protecting a company’s data from being compromised.

Seems like an easy solution, yet one where many struggle due to the unwarranted fear that customers might not want to take the extra time that the added friction of the security and cues bring to the transaction.2

But due to the overall changing landscape of cyber security itself as well as the impending implementation of the European Union (EU)’s General Data Protection Regulation (GDPR), this simple approach might make more sense than ever.

Scheduled to go into full force by May, 2018, GDPR will have an impact for business well-beyond EU’s borders as one of its principles is that any company dealing with an EU citizen (including an EU IP address) is bound by it. One of the main provisions of this governance is that an EU citizen must provide their consent for the use of any personal identifiable information (PII) before it can be captured or used.

As a result, the individual and household data that is currently being gathered in an unbeknownst manner – such as from databases and by following online behaviours – will no longer be available for marketers to use. This has the potential to significantly hamper targetted marketing efforts for many products and services.

Yet another indication of the grand shifts in cyber security relates to the expert who taught the world to use complicated passwords. He now admits he was wrong – that because of the growth in the amount of accounts and passwords, the guidelines that many of us follow today can result in passwords that are susceptible to hacking. As a result, the password guidelines from America’s National Institute for Science and Technology have, with necessity, been updated.3

So, with these changes looming, how do marketers continue to deliver a worthy brand experience while also staying ahead of the hackers?

[ms-protect-content id=”9932″]

But this customised experience comes at a price for the consumer – the need to provide personal information. So, marketers must seek a balance regarding how they can meet both needs and build their brand along the way.

The first, and perhaps most important step is to gain a greater understanding of the tension between consumer needs and wishes for privacy and the marketers’ needs for information. Anyone who’s visited TelePort to find the best place to live can attest to the power of receiving a personalised experience, one where the consumer provides personal information and receives a customised result just for them. Trend prognosticators have long documented the consumers’ wish for customisation. Anyone in a marketing department can also speak to the importance of creating personalised brand experiences and the detailed knowledge of what each and every customer is seeking at each key inflection point along his or her unique path-to-purchase. But this customised experience comes at a price for the consumer – the need to provide personal information. So, marketers must seek a balance regarding how they can meet both needs and build their brand along the way.

Brands that have shown success in this area should not come as a surprise – Microsoft and Apple, to name two. Both provided empowering experiences with their brands at every touchpoint, building trust by providing more than what is expected for what was paid and exhibiting a knowledge about the product or service that allows the consumer to believe it will deliver without question and then defending this trust with transparency about the data they process and collect.

Each of these brands certainly foster confidence within their customers. As a result, their customers are more willing to share personal information, which continues the relationship and further affords each brand the ability to offer more empowering interactions. And the brands benefit as well. For instance, Microsoft has become the preferred cloud provider internationally as a result of their vocal position with data privacy.

As cyber security concerns grow, the more traditional “value exchange” that drives most transactions will shift to more of a “trust exchange”. While trust has always been rooted in the value formula – what I get for what I pay – consumers today want that form of trust to marry with their security best interests too. We have recently seen the impact on loss of trust and value with the catastrophic data breach at credit reporting agency Equifax resulting with the CEO retiring and the stock price at one point down by $3.5 Billion.

Within the EU, the GDPR helps ensure the security portion of the relationship and, thus, helps alleviate concern from consumers.

Which brings us to an interesting question: With a regulation like the GDPR being enforced within the EU and beyond, does that relegate data security to just being a defensive effort by brands?

The unequivocal answer is “NO”.

It is evident that a data breach of any kind will damage trust consumers have built with a brand. As Pat Contry and Anupam Narula reminds us in their Deloitte Insights study, Building Consumer Trust: Protecting Personal Data in the Consumer Product Industry, “… Negative brand experiences can quickly negate years of brand-building, a hard-gained positive reputation, and – perhaps most importantly – the trust a consumer places in a brand.”4

The same Deloitte study also highlighted consumer willingness to support and choose those brands/retailers that take action to better secure personal information in an online setting prior to any breach. In fact, 80% of consumers indicate they are more likely to purchase from consumer product companies they believe protect their personal information.5

The key here is that when it comes to cyber security efforts, it is not just a defensive move on the part of organisations, nor is it a legitimate endeavour for helping to build a brand. Rather, it is an attempt to further build TRUST with consumers. Trust that will lead to a deeper relationship with one’s brand.

People are willing to give up their data knowing that:

  • only the required data needed is being collected and processed;
  • it is used for only the purpose it was intended
  • the veracity of the data is maintained;
  • adequate security is in place;
  • and when an incident occurs, the company takes full responsibility in return making their lives easier and less time wasted.

What happens when a data breach does occur?

Cyber incidents should be treated like any crisis management and must involve cross business functions working together as a team whereas too many times they are left solely to the IT team.

According to the US National Cyber Security Alliance, 60% of small businesses closed just six months after a cyberattack. According to Thycotic, “while you may have done everything to stay protected, and everything to be compliant this does not necessarily mean that your business will survive.”6 Once a data breach occurs, the company must respond quickly and intelligently. Cyber incidents should be treated like any crisis management and must involve cross business functions working together as a team whereas too many times they are left solely to the IT team. Being prepared and having a tested incident response plan can mean a company can reduce the impact of cyber incidents, get back to operations quickly, and maintain confidence with consumers. A well-defined incident response plan means:

  • Executive team are educated and cyber aware.
  • Incident ownership is detailed and responsibilities are clear.
  • Internal and external capabilities are identified.
  • PR and legal are ready at a moment’s notice.
  • Alternative communication and backup plans defined.
  • Eradication and recovery steps prepared.

In an ever-evolving world like that encompassing cyber security, there are few hard and fast rules. But as we mentioned earlier, the goal is simply to stay a step ahead of the hackers. Right now, that is defined by:

1. Offering a more secure environment than competitors, or other online retailers/resources.

  • Making a concerted commitment to consumer security is a very basic first step. In many countries, the security of consumer data is paramount and not available in any form unless specifically granted by the consumer themselves.

2. Prominently displaying partners as it relates to privacy and security of consumer information.

  • Just as security signage outside a home such as an ADT home security sign can deter burglars from entering, so too can identifying third-party security partners on a website. This is just a subtle indicator to hackers to move on to other potentially less secure pastures. In the hacking world, any sign of potential resistance is also a signal to move on to the next easiest target. There is no need to take on the risk of a challenging opponent, if there are easier organisations available to hack into.

Meanwhile, don’t provoke or challenge the hackers. If you claim to be impenetrable, hackers will take it as a challenge to prove you wrong.

3. Being transparent about security efforts, and how collected data is used.

  • Make the consumer king yet again. Be open and honest with them regarding why the data is being collected and how it can help them. The key here is to continue to focus on THEM, not US (or the organisation).

4. Respond swiftly to any security breach, and work quickly to restore confidence within one’s customer base.

5. Don’t piss-off the hackers through efforts to provide a secure online experience.

  • Hackers exist in communities. Working against this community can have an adverse effect on security efforts.

6. Ensure the organisation’s focus is in the right area – securing consumer data.

  • The gaming industry is well aware of this. Their focus in many instances has been on hardening code to reduce piracy. This has made them more susceptible to data breaches against gamers. In some instances, this is exacerbated by enthusiastic gamers who disable their antivirus apps, as they tend to slow down their machines which is the last thing they want when in gaming mode. Either way, focus needs to be placed squarely on inhibiting any access to data and to avoid any long-term impact on any of the key players in this industry.


About the Authors

Laurence Minsky is Associate Professor, Columbia College Chicago, and a marketing consultant helping agencies and brands across the globe. He is also co-author of The Activation Imperative: How to Build Brands and Business by Inspiring Action and Audio Branding: Using Sound to Build Your Brand, among other books.

Ben DiSanti is an Adjunct Professor at The University of Chicago’s Graham School of Business and a Partner as well as a co-founder of DiSanti, Hicks + Partners, which specialises in omnichannel shopper marketing. He is also a Managing Partner of Competent Curiosity, a strategic consultancy as well as a co-author of Creative Segmentation: How David can take on Goliath.

Joseph Carson is a UK-based Certified Information Systems Security Professional (CISSP) with 25 years of experience in enterprise security & infrastructure. An active member of the global cyber security community, he is the Chief Security Scientist at Thycotic, a leading provider of password management to more than 7,500 organisations.



1. Two Campers Meet A Bear,” eBaum’sWorld, http : //www.ebaumsworld.com/ jokes / two – campers – meet – a – bear / 81322574 /; uploaded 2/ 15/11 ; accessed 8/12/2017.
2. Lucas, James, Laurence Minsky & Ben DiSanti, “Good Cybersecurity Could be Good Marketing,” The Harvard Business Review, https : / / hbr . org / 2016 / 09 / good – cybersecurity – can – be – good – marketing; published September 23, 2016; accessed 9/4/17.
3. Titcomb, James, “Password guru who told the world to make them complicated admits : I got it completely wrong,” The Telegraph, http:/ / www.telegraph.co.uk / technology / 2017 / 08 / 08 / man – wrote – password – bible – admits – advice – completely – wrong / ; published 8 / 8 / 2017; accessed 8/13/17.
4. Contry, Pat & Anupam Narula, “Building consumer trust: Protecting personal data in the consumer product industry” https: / / dupress.deloitte.com / dup – us-en / topics / risk-management / consumer – data – privacy – strategies.html; published 11/13/14 & accessed 8/14/17.
5. Contry, Pat & Anupam Narula, “Building consumer trust: Protecting personal data in the consumer product industry” https: / / dupress.deloitte.com / dup-us-en /topics / risk – management / consumer- data – privacy – strategies . html ; published11 / 13 / 14 & accessed 8/14/17.
6. The Incident Response Plan – how to help your business survive a cyber-attack. Thycotic Webinarsm . https: / / thycotic.com / company / blog / event / the 7096359479051798019-incident-response-plan-help-business-survive-cyber-attack/;accessed8/15/17.


Please enter your comment!
Please enter your name here