Skip Navigation
BlackBerry Blog

An Open Letter to Advertising Agencies on Application Security

FEATURE / 11.22.17 / Pete Herzog

This is an open letter I received from a copywriter at an ad agency in NY. I think it’s important because it shows that more and more “regular” people are aware of their infosec role and yet have to work under conditions where it’s obvious they are at risk. They recognize it because that risk impacts their job and their potential earnings. So of course it matters to them. This letter was written to advertising agencies but it could be to so many more.

Dear --

Of the 150+ advertising agencies in Manhattan alone, I am a copywriter in one of the biggest networks. Our office shares a server with six other agencies, some of which house competing brands.

I chose to write for pharmaceuticals because it’s more technical. Pharma writing is often more reliant on competitive strategy and data presentation, and so is more lucrative than traditional advertising. The copywriters who know how to glean an edge from clinical trials can write the most compelling copy to move their brands forward. More brand recognition, more money.

Because of this, the highest valued pharma copywriters are always hungry to take full advantage of whatever insights are available to them—from whatever sources they can find. Any sources. I don't want to tell you how seriously I've considered wiretapping the agency across the street. It's a dirty job, but someone's got to get a cut of all of that big pharma money!

So really, my job is just about staying competitive with the other marketers in my position. I have my collection of Google alerts to monitor the web for the names of my drugs and all the others in the same category. I often search competitors’ material, such as detail aids (brands’ main pieces) and any other competitive insights I can find. If I can gather any clues about their strategy, keywords, drug trial data, and of course, promotional launch dates, I can alert my team and keep myself in the green. If you ever thought that advertising is a dirty business then know that it’s even dirtier than you suspected.

But my point here is that with minimal effort, I often find exactly what I look for. How sad is that? Which is why I am writing this because privacy and security for pharma is atrocious and the third-party vendor leak is the advertising agency.

Whether on other copywriters’ portfolios, popular file-sharing sites, in shared folders on the cloud, or even on public vendor and company websites, I can find things open and public:

  • Nobody uses encryption.
  • Nobody restricts permissions.
  • Nobody cleans the metadata out of their documents.

There are so many broken company web apps where you just need to run their search or change the URL a bit and you get unlinked documents. My only rule is, if I find it, I use it.

This is not a two-way relationship. If it's my brand that leaks the information, I make sure my client is notified immediately and the piece is taken offline. Thousands of my own man-hours, sweat and tears have been spent on the evolution of many of these materials. I have spent years of my life perfecting my brand’s clinical presentations. So nothing makes me angrier than finding brand pieces that I've personally spent weeks of late nights on, leaked online.

One of our copywriters who put an internal piece online had to clean out his desk the next day. We found one of our medical convention booth mockups on a vendor website and cut ties within a week. I take information security very seriously and demand the same of my team. But I think we’re the only ones.

Naturally, we copywriters sign an NDA the second we accept a job, and are constantly lectured on the fact that sharing any work that isn't already published, and public, is grounds for instant unemployment. Secrecy is integral to client and agency trust, so much so that we can't even accept freelance writing work that would be seen as a conflict of interest to our current drugs.

But all this secrecy doesn’t matter if we were breached. Or careless with our own security practices.

Speaking of which, I'm tapping the keyboard of a 1997 company Dell laptop to write this article. I just signed onto Windows 2007 with my 5-month old default login and password that I also use for remote web access to our files. Though I updated my password last night, the computer hasn't registered the change, because the malfunctioning dock it's supposed to connect to continually causes me to reconnect and disconnect from the Internet.

Still, I’m made to jump through these password hoops which do absolutely nothing if the permissions on the document share areas are badly implemented. Here's a non-hypothetical question for you: what am I actually logging into if there’s no real security?

This is the work-issued laptop I grab for every work meeting. The one on which I review proprietary product information that cost our client millions of dollars and thousands of market research hours to obtain. The cloud servers I use house the latest promotional designs and research decks for several of the industry's highest selling brands. And this isn't the only type of information that's at stake.

When drugs have upcoming competitors, pharmaceutical companies may choose to spend hundreds of millions to gain just a few months' priority in the FDA review process. This is in order to avoid the loss of even more in potential profits due to process delays, clinical trial holdups, or loss of brand identity.

Needless to say, an advantage in this race can mean multiple millions in gains or losses.

Like most agency employees, I keep my files in my desktop folder and route them through the team on an app with another default password. Sure, it changes every 90 days, but that's annoying, so we ask the admin to reset it often, leaving us with the default, time and time again. Which doesn’t matter because it’s often sitting in plain text in my 90's email program, on an unencrypted laptop with no VPN or host-based firewall. So it hasn’t been breached only because nobody has bothered to yet.

One drive-by download malware or one click on a phishing link and the attacker has access to everything I can access, which is nearly everything my agency group is working on.

I'm hoping that you IT professionals supporting us see now that there’s more at stake than you think. Whether you work in my company or you’re an outside contractor, you are in charge of protecting hundreds of millions of dollars. And as someone lacking the technical knowledge to do what you do, I need you to invest a little of your allocation into keeping our applications secure. Maybe you think you are, with your patches, vulnerability scans and password changes, but you’re not—at least not how it matters. Even I know that password changes are not even best practices anymore. Don't be the one that loses big pharma's money; they'll find a way to make it back from you.


A copywriter with too much to lose.

Pete Herzog

About Pete Herzog

Guest Research Contributor at BlackBerry

Pete Herzog knows how to solve very complex security problems. He's the co-founder of the non-profit research organization, the Institute for Security and Open Methodologies (ISECOM). He co-created the OSSTMM, the international standard in security testing and analysis, and Hacker High School, a free cybersecurity curriculum for teens. He's an active security researcher, investigator, and threat analyst, specializing in artificial intelligence (AI), threat analysis, security awareness, and electronic investigation.