Cyber-security is taking a new twist in 2015 as companies begin to assess risks posed by sales and marketing activities that rely on digital channels and social media.

Long gone is the deliberate pace of marketing from the “Mad Men” era, where teams took days or more to mock up proposed print advertising that went through multiple layers of review. Digital marketing moves more quickly, involves more people, can trigger more regulatory oversight, and is far more prone to fraud or data theft than anything Don Draper worried about.

Little surprise, then, that Corporate Executive Board lists digital marketing as a “hot spot” in internal audit planning that deserves greater corporate attention in 2015. The rise in digital marketing gives companies the ability as never before to target their sales and marketing activities to specific customers. But it also produces reputational and data privacy risks playing out in news headlines with greater frequency, CEB says.

“This is something many internal auditors are not familiar with,” says Ruth Shaikh, associate director at CEB who performed the research that led to CEB’s conclusions. “When we talk about digital marketing, we mean use by companies of digital channels—like social media, e-mail, Web applications—to connect with their customers and stakeholders.” The idea that digital marketing channels can create risk is perhaps not news to internal auditors, she says. Knowing how those risks are created, and what controls should be in place to mitigate them, is a work in progress.

The potential risks are every bit as numerous and complex as the modern digital supply chain and its long list of characters, says Danielle Ritter, assurance director for PwC who works primarily in technology and media sectors. “If you’re sharing data, what are you sharing?” she asks. “Who are the partners you’re working with? Who is helping you deliver or build your digital marketing campaign? Internal auditors may want to evaluate the risks of those parties.” That’s a key part of protecting the data the company is sharing with its service providers, she says.

Digital marketing fraud is rampant, says Linda Wooley, president and CEO of Trustworthy Accountability Group, a grassroots organization trying to combat the problem and give companies standards and tools to protect themselves. “The entire supply chain is very complicated, with a lot of parties in the chain to deliver a digital ad,” she says.

The supply chain even for something as simple as an online advertisement has advertisers, ad agencies, ad buyers, advertising networks, ad exchanges, publishers, and auctions to bid for ad dollars and placements. Along the way, nefarious players sneak into the system and siphon off ad dollars that never deliver the advertising impressions intended, she says.

Another risk, Wooley says, is piracy: rogue players picking off legitimate ads and creating spoofs re-directed to fraudulent URLs. “It looks as if those ads appeared somewhere, so the criminals are paid, but the ad was not seen by a human,” she says. “And there are many, many more types of fraud in the system.”

“You don’t always see marketing and advertising as a high focus in the internal audit plan, but companies should start by inventorying what their digital marketing touch is.”
Daniel Ritter, Assurance Director, PwC

The Association of National Advertisers recently released a study showing that advertisers will lose $6.3 billion of their advertising spend globally in 2015 to non-human bot traffic. The scam is that “clicks” on online advertisements are made by machines with no actual spending power, rather than humans that the advertisers were paying to get. For U.S. companies, that amounts to as much as 30 to 50 percent of a company’s digital advertising budget, Wooley says.

“So you have chief marketing officers looking at their budget and saying 30 to 50 percent of what I spend on digital advertising is wasted,” she says. “That’s not sustainable.”

Getting Ahead of the Problem


Below the IAB offers information on why traffic bots are dangerous and guidance on what to do to protect your company.
How traffic bots generate false traffic:
After infiltrating legitimate systems, fraudsters can use bot code in different ways to generate false traffic. They often operate just under the surface or when human users aren’t present to detect foul play.
Some of the ways bot code generates false traffic:

Generating ad views while consumers browse unaware.

Hijacking user controls to generate fake clicks when the computer is dormant.

Running invisible processes behind the scenes to simulate consumer activity.

Compromising cookie data to simulate high-value consumers.
Why you should care
Allowing the bad actors in our industry to profit from traffic fraud affects the entire online community. In addition to diluting inventory value and diverting funds from legitimate businesses, traffic fraud undermines the integrity of digital media.
Some of the negative impacts of traffic fraud:

Brands waste money on ad campaigns that are served to invisible inventory.

Digital media is degraded, and brands look elsewhere for their marketing solutions.

Ad performance and website visit data are contaminated, undermining analysis.

Artificial fraudulent inventory floods the market and decreases the value of legitimate (real human) inventory.

Criminal activity is enabled.

The industry may be subjected to government oversight, negative press and potentially business-dampening enforcement.
What You Can Do
The solutions to traffic fraud are not always intuitive. For example, the outright blocking of fraudulent traffic gives information to the fraudsters that helps them blend in better and become more difficult to identify.
In addition to the following general guidelines, steps specific to buyers, publishers and networks are outlined in subsequent sections.
The following general guidelines can help any online business get started:

Educate yourself about traffic fraud and the risks that it poses to your business.

Adopt policies and strategies to identify fraud and mitigate its impact.

If you are an advertiser, set clear objectives for your media campaigns that focus on the measurement of real ROI, which is difficult for fraudsters to falsify. Measures such as click-through rate, completion rate, and last-touch attribution are easy to game.

Practice safe sourcing and trust only business partners who have earned trust.

Implement technology to detect and prevent fraud.

Filter traffic through vendors who prioritize fraud detection.
Source: IAB.

TAG is in the early stages of creating standards for participants in the digital advertising supply chain, intended to reduce the ability of illegitimate players to weasel their way in. Such standards will be helpful not only to advertising and sales executives, but to internal auditors as well, she says. “There will be business rules for everybody who operates in the ecosystem. These will be things you need to do to vet your vendors.”

The role of internal auditors is to get educated on digital marketing risks and help manage those risks across the enterprises, Ritter says. “Digital marketing is a relatively new area of risk, and it’s constantly changing,” she says. “You don’t always see marketing and advertising as a high focus in the internal audit plan, but companies should start by inventorying what their digital marketing touch is.”

Bill Michalisin, chief marketing officer for the Institute of Internal Auditors, says internal audit’s focus so far for digital marketing risks has centered on the employee side, or what companies are doing internally. “Now we’re seeing more instances of social hijacking, more cases where parties outside are coming in and doing damage,” he says. “Companies haven’t viewed it that way very much.”

Interest in more education and information on digital marketing risks is growing in internal audit circles, Michalisin says. “It’s a newer area, so I don’t know if we can say there are even best practices yet per se,” he says. “There is a need for peers to share ideas and strategies they can start to put into place to address this. There is demand for that.”

He suggests internal auditors start the dialogue within their own organizations to assess the company’s exposure as a result of its digital marketing activities. “Once internal audit has a full view, they can bring to the conversation their expertise and their perspective around mitigating risks and evaluating controls.”

Warren Stippich, a partner and national GRC leader for audit firm Grant Thornton, says larger companies that are brand-driven and consumer-oriented generally are further along the learning curve in assessing and responding to digital marketing risks, but virtually any company could benefit from reviewing their policies and procedures. Before digital, sales, and marketing activities generally were subject to layers of internal approval before anything would be released to the public, he says.

“Now, anyone can upload and hit ‘post,’ and it happens in seconds, read by tens of thousands of constituents,” he says. “That’s a big risk.”