Non-paranoia-inducing digital safety for brands and content professionals

This essay originally was published on January 26, 2022, with the email subject line "CT No. 152: Hey, wanna cyber-secure your content business?"

I didn’t use to think much about digital privacy or security. I was a let-it-all-hang-out kind of internet user back then, with a public personal blog, an opinionated Twitter account, and a hopefulness about technology so naïve I wondered if getting a Google brain implant could be fun. My descent into what became an obsession and eventually a career in cybersecurity began in 2010 while working at WIRED. It was the heyday of Wikileaks and Anonymous; Adrian Lamo had just dumped the Manning chat logs to one of my colleagues at the San Francisco office, and Kim Zetter was unraveling the Stuxnet industrial malware story. Privacy and security were hot topics around the office, even though many of us still hadn’t adopted what are now commonplace security measures into our own workplace communication practices.

Then a colleague got mad at me for messaging them over GChat. It may sound paranoid, but they were overseas covering the Arab Spring. They had good reason to insist on moving our chats to a more secure channel. I got to thinking: maybe I should get better at understanding how being extremely online doesn’t come without risks.

Over the next 10 years I fell down the rabbit hole of cybersecurity questions and sought out an array of answers which only led to more questions. Cybersecurity experts, much like insurance salespeople, tend to linger excessively in the Valley of Worst-Case Scenarios. As James Mickens once wrote in his memorable 2014 essay, “This World of Ours” (pdf):

The only thing that I’ve ever wanted for Christmas is an automated way to generate strong yet memorable passwords. Unfortunately, large swaths of the security community are fixated on avant garde horrors such as the fact that, during solar eclipses, pacemakers can be remotely controlled with a garage door opener and a Pringles can.

We’re not going to the Valley of Worst Case Scenarios today. I’m not here to give you a panic attack or convince you to buy military-grade encryption software. My goal today is to make sure you, your company, and your audience aren’t low-hanging fruit for the hordes of very real hackers and data brokers out there looking for easy targets.

Threat modeling for content professionals

A threat model is a simple way to assess risks and viable responses as they apply to your situation. By creating a reasonable portrait of potential harm, you can also rule out solutions that will likely be overkill for your specific situation. Why buy a state-of-the-art safe if a simple padlock will protect you?

Here is a basic example of a threat model, also borrowed from Mickens:

Good news: Chances are, if you’re a subscriber to The Content Technologist, you are probably not engaged in Nation-State espionage, whistleblowing of classified information, or political dissent against a violent dictatorship. (And if you are, nothing in this essay should come as new information to you.) We can automatically rule out some of the more sinister Worst Case Scenarios. We also don’t need to get into some of the more complicated solutions, like wiping your laptop every time you cross a border and encrypting every email with PGP. Regardless, your work is very likely interesting to cybercriminals. Why? You're managing audience data, and lots of it.

Whether you’re deploying a digital content campaign to tens of thousands of customers, running marketing and user experience testing with third-party vendors, or managing content or social media production or operations, you should follow or implement company security protocols around user account management, access control, and authentication. You’ll want to ensure that your practices are not only legal but also respectful of your audience’s privacy beyond the law (i.e., don’t spam or otherwise abuse their trust in your brand).

Let’s explore some threats and solutions for the very real problems you could encounter in your professional life:

Potential security and privacy threats in content operations

We all know by now that reusing passwords is bad, data brokers are real, and data is valuable, so the potential threats we’ll consider for your industry mostly revolve around: