‘The Most Wonderful Time of the Year’ Has Arrived for Cybersecurity Holiday Readiness Campaigns

The online retail market is flush with cash – just last year between Thanksgiving and Christmas, U.S. consumers spent a record $850 billion and sales are expected to exceed $1.1. trillion this year. This stat not only makes a consumer say “wow”, it’s the perfect “pitch ammo” for a PR pro to use to hook a journalist when conducting a holiday readiness campaign. 

We all want to land on the “nice list” for our clients and reporters, so here are 3 tips you can use to get in the holiday spirit when executing your media strategy this year and developing a plan for next season. 

  • Don’t fa-la-la behind (start outreach early!)

Lots of PR pros want to wait until peak holiday season to get outreach underway to reporters, but it’s likely too late. The trick is to get ahead of the game and start pitching your ideal storylines in early October and continue to spin new angles and follow up with reporters into the new year. This is also prime time to capitalize on your clients’ vertical business units or marketing objectives. Reason being? Think of the various “milestones” cybercriminals capitalize on throughout the core holiday months — Black Friday, Cyber Monday, holiday exchanges/returns, etc. They all tie to a vertical industry in some way (retail, financial services, etc.). Toss your stale security pitches and think outside the box — “leverage the knowns” as a client once told me. These are the newshooks reporters write about every year so it’s up to us to think of fresh ways to tell the story.

  • ….But, yule be sorry if you pitch something “just to pitch”

Poll a handful of reporters with different beats and they will all agree on one thing — don’t force feed a story. That doesn’t mean you can’t get creative in how you approach your pitch or angle (this is encouraged — especially with verticals!), but bear in mind that there has to be some tie to the holiday season that a reporter and their audience can bite on beyond just security. Maybe it’s a new cyber attack method that’s ramping up during the holidays that retailers don’t know about (looking at you, credential stuffing) or a best practices approach for authorizing holiday contractors in financial services. The key here is to push boundaries and be creative, but also be ready to admit if it’s likely too big of a stretch. Being vulnerable (and opening with honesty) to a reporter puts you in a better position to build an authentic relationship and could potentially be the deciding factor on whether or not they would go for the story. Remember, don’t be a Scrooge!

  • Sleigh the campaign by leveraging timely research

The holidays present a great opportunity for your client to tap their research team for new threat insights that may hit one of their verticals particularly hard during the holidays. Retail always comes to mind, but I challenge you to think of others. For example, cybercriminals treat tax season (which begins in January) as open season for phishing campaigns. Suddenly your retail angle becomes financial services and research insights tied to phishing could be the golden ticket to your “holiday” feature.

Now, only ~10 months until we get to do it again and tackle 2021 holiday readiness! 

How Regulatory Fines Became the New Normal in 2019

2019 was a landmark year for regulation in technology. We celebrated the one year anniversary of EU-based GDPR in May, the approval of the California Consumer Privacy Act (CCPA) in October (which will officially go into effect on Jan 1, 2020), and saw the emergence of several global regulatory watchdogs. All culminating in a record-breaking number of regulatory infringement fines for tech companies who failed to prioritize the rights and privacy of consumers in 2019. And the bad news is, if companies don’t begin to get serious about privacy and data security issues in 2020, that number is only going to go up. 

A Timeline of Unfortunate Events 

The regulatory year started off with a bang, when in January, the French data protection authority (CNIL) announced it was fining Google nearly $57 million, for failing to properly disclose to users how their data was being collected across Google’s services. At the time, the penalty marked the largest privacy violation to date under GDPR, appearing only seven months after the law had gone into effect.

In March, Google faced regulation violations yet again, this time a $1.7 billion fine on charges that Google’s advertising practices violated antitrust laws in Europe. European watchdogs noted that Google had violated antitrust rules by imposing unfair terms on companies that used its search bar on their websites in the region.

Then came July, a busy month for privacy regulators. Facebook faced a record-breaking $5 billion fine as part of a settlement with the FTC – the largest penalty ever imposed on a company for violating consumers’ privacy rights. As a part of its settlement with the FTC, Facebook also agreed to adopt new protections for the data users share on the network. Around the same time, Facebook separately agreed to pay $100 million to settle data misuse charges brought on by the SEC. Talk about a rough 30 days. 

Additionally, British Airways faced a $230 million GDPR fine for its 2018 data breach which affected 500,000 customers. And similarly, Marriott was slapped with a $123 million fine for its data breach in 2018 which saw 383 million guest records and 18.5 million encrypted passport numbers stolen. Later in July, Equifax agreed to pay $575 million as a part of a global settlement with the FTC, following the credit reporting company data breach in 2017. The breach affected approximately 147 million people due to Equifax’s failure to take necessary precautions to secure its network. 

Finally, in September, Google-owned YouTube was fined $170 million by the FTC to settle accusations that the platform had illegally collected personal information about children without their parents’ consent. The settlement required Google and YouTube to pay $136 million to the FTC and $34 million to New York for allegedly violating the Children’s Online Privacy Protection Act (COPPA) Rule.

Less Than Fine

As technology and tech giants have continued to advance and expand at an unprecedented scale, we witnessed a critical third party enter into the business/consumer interaction in 2019 – the regulators. Established not only to prioritize the rights of the consumers’ but also to manage the reach of tech giants, 2019 was the year that global regulators and watchdogs established themselves as protectors of the people, defenders of data democracy, and as forces to be reckoned with in the tech world. 

So what will 2020 hold for all three parties? No one can be quite certain yet. But what we can expect is that the watchdogs will continue to advocate for transparent data management practices, honest and timely breach disclosures, and increased data privacy regulation, whether tech companies decide to comply or not. We can expect that the CCPA will mark only the start of data privacy legislation in the US, and that the rest of the world will likely begin to follow along the path GDPR has set by adopting legislation of their own. Countries like Brazil, Australia, Japan, South Korea, and Thailand are already doing so. 

Own It – Secure It – Protect It: How Highwire Puts Training into Practice

If you work in tech PR (or you’re a journalist) you’re all too familiar with National Cybersecurity Awareness Month (NCSAM). Hopefully whoever you are or whatever you do for a living, you understand why this month of awareness is important and why we need to shed light on the proactive steps people can take to protect their information — whether that’s in the workplace or in their personal lives.

According to the National Initiative for Cybersecurity Careers and Studies (NICCS), NCSAM is “a collaborative effort between government and industry to raise awareness about the importance of cybersecurity and to ensure that all Americans have the resources they need to be safer and more secure online.” It should come as no surprise then, that the theme this year was “Own it – Secure it – Protect it,” with a strong focus on data privacy, IoT devices, e-commerce security, and social media

After all, the internet touches every aspect of our everyday lives. From the time we wake up to the time we go to bed we’re connected, whether it’s en route to the office, or scrolling through Instagram as our heads hit the pillow. It’s paramount (read: it’s our obligation) to take the necessary steps needed to #BeCyberSmart.

Own it. 

So, as cyber intrusions and phishing attempts become more sophisticated, it’s absolutely critical that employers and employees take actionable steps to secure and protect themselves — and their data — online and when using their connected devices. To put it simply: as hackers and their attacks become more prevalent, why shouldn’t our own preventative measures? 

Security attacks against small, privately owned businesses have been steadily increasing over the past year,” said Caroline Garrett, our San Francisco office manager.  These attacks can have a devastating impact on businesses, in fact, one study found that globally the average cost of a data breach was $3.86 million, a 6.4% increase over 2017. The same study found that data breaches are even more detrimental to SMBs, citing damages from a breach can be equivalent to the total value of a small business.

At Highwire, we are humble enough to recognize that we can always do more to safeguard company data, protect our employees, and train our staff to become stewards of their personal data while practicing good cybersecurity hygiene. That’s why we recently rolled out a series of interactive training modules that were mandatory by all Highwire employees, covering a wide range of topics and teaching employees everything from how to spot phishing scams and stay safe on public Wi-Fi, to protecting company information while traveling and creating unique, strong passwords. 

“These trainings go out at random times throughout the year,” said Garrett. “I find this important as it’s a constant refresher, rather than a long, laborious training that occurs twice a year. I want people to walk away with the knowledge to take to their clients, ensuring that they too are secure in their practices.”

Protect it. 

So how well did we fare? Our strongest category overall was the module “Work Safely Outside the Office,” with a 98 percent pass rate. The overall industry benchmark standard for these trainings is 77.9 percent, and the overall benchmark for our agency is 77.4 percent. But, we’re not stopping there.


In addition to the ongoing training modules, Highwire’s operations team also sent out fake phishing emails to show employees that these attacks are now so sophisticated, that emails may appear to be coming from someone within your company — like your accounting director or your boss– when they’re actually just a cyber criminal in disguise. Even if you feel like you have a strong sense of what a phishing attempt looks like, everyone needs to scrutinize these messages in order to determine what’s legitimate.

“I fell for the first one even after going through our internal training about what to watch out for,” said Tori Sabourin, senior digital manager at Highwire. “Falling for the fake phishing email was a wake-up call, so now I’m extra cautious when opening emails that look to be a bit out of the ordinary.”

Secure it. 

To continue to spread awareness around NCSAM and our training initiatives, Highwire’s Society committee hosted a “Cybersecurity Jeopardy” night across some of the Highwire offices. We wanted to take all of the great content from our trainings and have some friendly competition (because, why not?). 

And while this was the perfect excuse to share some champagne and cheese in honor of World Champagne Day, this really was about taking what we learned from the trainings and putting our knowledge to the test. Shout out to Lizzie, Jill, Amruta, Talia, Mariah, and Jazmin in the San Francisco office for winning and Robby, Jordana, Ben, and Tricia from our New York office! (Boston and Chicago – it’s your turn to strut your cybersecurity stuff!) 

What’s next for Highwire? We’ll continue to roll out mandatory training modules and security protocols that empower our employees to make smart, safe decisions online. Our mission in taking a proactive approach to cybersecurity at Highwire isn’t intended to disrupt our daily routines. Instead, it’s about practicing some easy-to-follow habits, like always being mindful of suspicious emails, keeping your computer software up to date, and changing your passwords on a regular basis. 

Want to learn more about Highwire’s cybersecurity practice? Contact us at hi@highwirepr.com or careers@highwirepr.com if you’re interested in a career at Highwire.

Digital Tips for Event Promotion

When it comes to planning an event for your company, designing and leveraging digital assets is one of the greatest opportunities for your business. Branding isn’t just throwing your logo on a graphic, sending out some tweets and crossing your fingers for high engagement. It comes down to the overall messaging and display.

We wanted to share some tips and tricks based on Highwire’s recent Security Panel, Privacy and Policy in the Age of Disinformation, and how it helped both our digital and design teams. Here’s our process:

  1. Think about the goals and objectives of the event itself. What are you trying to illustrate to your target audience, and how can you display that in your graphic? For example, the goals of Highwire’s Security Panel were to educate on the matter of Disinformation, and, of course, garner interest in attending from our target audience.
  2. Get educated on design. To non-designers, photo-editing, vectoring, masking, etc. may seem a little overwhelming. For beginners, it’s best to start by learning the principles of design – balance, emphasis, movement, pattern, repetition, proportion, rhythm, variety, and unity. Also, take into consideration color, typography, graphic elements and composition to help promote your event the best way possible while staying on brand. Finally, there are platforms out there that can help beginners get started with design. Free tools that could be great resources include Canva, Picmonkey, and Vectr.
  3. Plan it out. Having diversity throughout graphics is crucial in the promotion of the event as it keeps the information interesting, while also consistent and straightforward to the audience. Always include photos from the event to promote afterward on social channels.
  4. How are you going to promote this event with these graphics? Think about what social platforms resonate best with your target audience and when that audience will be online. You don’t want to post when no one will see it.

With these tips, you’ll be able to start designing and leveraging your digital assets to promote your event in the best possible way. For more information, contact Highwire’s Digital Studio at digital@highwirepr.com

HW Rapid Response Methodology: Looking to our friend RITA to stay on top of trending news

In the fast-paced, noisy world of cybersecurity, it can be difficult to be seen in the media at all, and even harder to elevate your brand as a thought leader in the space. However, our Highwire security practice has cracked the code to this issue through the creation of our rapid response method that is a key piece to our security program. 

This methodology’s success is mainly attributed to each account’s very targeted focus on news events that make the most sense to their business – and avoidance of ambulance chasing – however, there was one specific event that occurred in May 2017 that impacted all security accounts and showcased the true breadth and depth our rapid response program can have across a practice. It was the infamous WannaCry ransomware attack, which hit the globe, crippling businesses, government entities, and healthcare orgs, and our Highwire Cyber Squad was all over it, implementing our rapid response process, and successfully securing more than 40 original stories in top tier business outlets across 11 clients in a five day period, elevating execs as thought leaders on an issue impacting businesses across the globe, ultimately totaling daily coverage in the WSJ Cybersecurity Pro newsletter for five days, New York Times coverage, and two broadcast hits with NBC. 

The methodology behind this incident is a e focused rapid response programs that evolves around four pillars: Relevancy, Timeliness, Insight, and Action (also lovingly referred to as R.I.T.A.). Below we’ve included a breakdown of these four pillars and how they work together, creating a successful program. 


The first step in the rapid response method is relevancy. This ultimately means having a deep understanding of the industry and news cycles that surround it. For cybersecurity, major data breaches continuously grab headlines, but it’s important to know what type of breaches are getting the most coverage, who the audience is, and with that knowledge start to focus on opportunities to share thought leadership commentary around the stories that are most relevant to your organization and the visibility you’re hoping to garner from rapid response. 

When deciding which news stories make the most sense to garner visibility for your organization, it helps to think through the broader issues at hand and identify all points of impact. Thinking through the repercussions a particular story will have on businesses, consumers, and politics should guide the direction of your commentary to ensure it has the most impact. 


When creating the thought leadership commentary for a rapid response opportunity, the insight that is most valuable to reporters and readers offers a unique perspective. It can be easy to use a canned response, however, this commentary is less likely to be included in any stories, as it is less likely to be relevant to the news story or the audience reading it. 

Providing unique insight that looks beyond what is being shared in the articles already published can garner the most attention. Determine if you can you share knowledge about the future of the impact, additional victims not immediately thought of, or insight on similar breaches/research that will add more to the narrative that is already out there. Think through how your insight will stand out and be the most useful to those reading. 


While timeliness is the second step in the process, this pillar should always be top-of-mind throughout the entire rapid response process. If knowledgeable thought leadership commentary is shared after a news cycle has ended, reporters will no longer be interested and the opportunity will be lost. 

To get the most out of the time that goes into rapid response opportunities, it will work in your favor to establish and leverage relationships with media. Engage with them strategically when breaking news hits. Reach out to those reporters who would be most relevant to the story at hand to determine who might be covering and what deadlines they’re working towards. This will help establish yourself as a useful resource to these contacts, as well as ensure you’re not wasting anyone’s time by pitching thought leadership to a reporter who doesn’t cover that topic. 


As a final step, when creating thought leadership commentary, offer useful advice. How can other companies avoid a similar situation, or provide next steps that the victim of an attack should take? And finally, make sure the advice and action provided is vendor-neutral. Nothing will lose your thought leadership brand or be disregarded quicker than commentary that is just marketing jargon refurbished. 

Moving forward, we hope RITA will have a successful impact on your rapid response program, and if you’d like to ensure that the insight you put out takes a stand, is more than the current story, and paints a future picture, please feel free to contact our Highwire Cybersecurity Squad for more details.

What We’ve Learned About Privacy & Policy – Thanks to a Little Help From Our Friends

We had the pleasure of hosting a security panel in San Francisco last week, focusing on ‘Privacy and Policy in the Age of Disinformation.’ If you were able to attend, let us be the first to say that we appreciate you taking the time out of your busy schedule to do what is most imperative in this era of disinformation and distrust – learn more about the issue at hand. 

For those of you who were not in attendance, we were fortunate enough to have an expert group of panelists — including Joe Menn from Reuters, Michael Liedtke from The Associated Press, Seth Rosenblatt from The Parallax, and Shaun Nichols from The Register — shed some light on the matter.  Our panelists shared some of the ways they personally have been following along as these issues continue to grow worse entering into election season, a new era of data privacy legislation (via the California Consumer Privacy Act in early 2020), and as we continue through the ever-evolving age of social media.

The panel was moderated by our SVP and head of the Highwire security practice, Christine Elswick, who noted that, “As we head into an election year, questions are still swirling about where the balance is between privacy and security and our freedoms and safety.” Christine continued, “2016 was a rude awakening for Americans who were inserted in their first interaction with social media driven disinformation. But what has happened since, and what does the future look like?” Our expert panelists were there to break down many of these issues and more. 

What does ‘fake news’ mean in 2019?

The panel kicked off by diving straight into what constitutes ‘disinformation’ in this day and age. Joe Menn of Reuters explained that “Disinformation is intentionally false information whereas misinformation is accidental – such as when your grandma misremembers a story from her past”.

The panelists discussed ways to better identify disinformation and the role social media has played in perpetuating the dissemination of false messages. When highlighting how regulation of big tech has begun to factor into the conversation, Shaun Nichols of The Register warned, “We can’t get too focused on Google, Facebook, and big tech models because, if we’re only addressing one type of model, we are going to miss a whole bunch of others.”

Michael Liedtke of The Associated Press also chimed in on the effect disinformation has had on the consumer noting, “Average folks sitting at home are now more suspicious of the information they see online – which is a good thing. Identifying disinformation is not the same thing as stopping it.”

The panel then dove into some of the larger privacy concerns facing us everyday as consumers, writers, PR practitioners, tech enthusiasts, and more. “The problem is, partially, we don’t have a national standard on privacy, but we also don’t have an international standard for a lot of different things that have been around for far longer than digital privacy issues,” explained Seth Rosenblatt of The Parallax. 

When highlighting ways to level the playing field in cybersecurity and bring new perspectives to data privacy awareness in general, Joe Menn of Reuters noted, “I think one thing that would really help affect change in privacy is if there were more senior technology executives who were women. Because I think an extremely alarming percentage of women have been stalked…and women, because they’re frequently victimized in this way to an astonishing extent, are much more privacy-aware.” 

The group’s consensus at the conclusion of the event? There is still much that needs to be done in the world of data governance and data privacy legislation, but what is the best way to deal with the current state of data privacy and disinformation? Give more power to the consumers. Let the people decide if and how and when their data should be used. Only then can we restore democracy to data.

Interested in hearing more about how this panel came to be? Stay tuned for our upcoming blog post on how we created and leveraged digital assets to amplify awareness for the event.

Privacy and Policy in the Age of Disinformation

As we head into an election year, privacy and policy are on the brain — and for good reason. Social media-driven disinformation was introduced in 2016 and over the years the industry has begun to navigate new roles for big tech and government, dissect privacy implications, and define a new era of journalism.

On October 17, Highwire will be hosting a media panel discussion on Privacy and Policy in the Age of Disinformation. Joining Highwire in the discussion will be leading cybersecurity, tech and policy journalists — including Reuters, Joseph Menn; Associated Press, Michael Liedtke; The Register, Shaun Nichols; and The Parallax’s Editor in Chief, Seth Rosenblatt — who will share insights on how disinformation campaigns are impacting society and business today, how their readers are responding, and their predictions for the future impact it will have on the security industry and journalism at large. The panel will be moderated by Highwire’s own Christine Elswick, Senior Vice President and head of our security practice. 

Here’s what the night will entail: 

  • 5:30 – 6:15: Networking and Cocktails
  • 6:15 – 7:15: Panel Discussion
  • 7:15 – 8:00: Networking and Cocktails

This panel will be held at Highwire Public Relations’ San Francisco office: 

727 Sansome Street, 1st floor

San Francisco, CA 94111 

This will be an engaging, interactive discussion that you won’t want to miss. We can’t wait to see you there! 

Interested in joining us? Register for free here

#HWCyberSquad Takes Black Hat 2019 by Storm

Black Hat 2019

Kicking off the 22nd year of Black Hat were keynote speeches from the conference’s founder, Jeff Moss, followed by Dino Dai Zovi, the mobile security lead at Square. Both talks reinforced one main message that was felt in all sessions, briefs, and side conversations that followed – communication is key. 

The security world finally has its well-deserved spotlight, and cyber teams are now being challenged to seize this opportunity and shift their focus to high engagement with departments across companies through thoughtful and strategic communication. 

In Dai Zovi’s talk, he shared his career path through security, starting with research and hacking contests he did in his free time – since security positions weren’t an option when he joined the workforce – to now, were he holds a lead security position with a seat at the head table. From his personal roadmap, Dai Zovi has been able to pull together four main ways that security teams can shift the way they engage and communicate with across all teams at their organizations, which are: 

  • Start with “yes.” In order to engage the world, you can’t shut them out 
  • Meet with teams dealing directly with customers to get a deeper understanding of who customers are and what they struggle with on a day-to-day
  • Use feedback loops and software automation to meet scalability needs 
  • Create a culture of security across an organization, instead of focusing on strategy and tactics

It became clear that the security community was hungry for more communication like Dia Zovi noted above and ready to shift their focus. While technology demos continued to be a huge part of the conference from a marketing perspective, and technical innovations in automation, machine learning, artificial intelligence, and the new, changing definition of endpoint/perimeter security being the main PR drivers, most technical conversations managed to continually turn toward this more human element of cybersecurity.

As we see security concerns around topics that are increasingly more detrimental to society such as, election security, data abuse, privacy issues, AI being weaponized, and widespread disinformation, Dai Zovi’s message on shifting the focus of cyber teams to communication will become more vital than ever. It will open the opportunity for a culture of security, empowering each individual in every organization to be an extension of their security team and allowing cyber practitioners to think big and work together against future cyber attacks. 

Let us know if you’d like to connect with Highwire PR to talk through how communication will change the game for the security industry! Contact secleads@highwirepr.com for more details.