It’s hard for cybersecurity companies to get noticed. Smaller vendors particularly struggle because top corporations already have contracts or strong customer relationships with the biggest companies.
This is where the threat of negative media coverage comes in. Exposing a security flaw, no matter how small, can garner big headlines if it’s at a big company. Enough press coverage can spark weeks of outrage and land top leaders in front of Congress.
However, breaches that actually cause damage are relatively rare. As a result, vendors often try to make a big deal out of minor breaches that don’t expose important company or customer information.
For instance, all four executives said vendors tried to draw their attention to potentially exposed data on Amazon and Microsoft Azure cloud servers. None of this data included any current material information.
In one case, a database housed business plans for a 10-year-old project that had already been reported on and was now irrelevant. In another case, the data included information about customers — but only their names and the fact that they had attended a technology conference several years earlier. There were no further personally identifying details, Social Security numbers or other data that would have raised the ire of regulators or even senior company executives.
But the representatives pressured the execs on the phone, saying they had repeatedly tried to warn them about these minor issues and were ready to go to media outlets.
Fearing negative publicity, these execs typically agreed to spend around an hour allowing the vendor to offer “free services” to fix the problem, followed by a bigger pitch for paid services.
Two of the executives also said vendors used questionable tactics just to get through to their phone. Vendors have called in to report “emergency” incidents, then once they got past the company’s gatekeepers, turned the “alert” into a sales pitch. They have also lied to administrative staff about their reasons for calling, characterizing their call as a matter of grave security importance, only to present a sales pitch once they’d worked their way up to the right executive.
All told, this results in a great deal of wasted time. Worse, as one executive said, “I distrust most of them, so it’s possible I miss the people who may be trying to raise actual issues.”