Fear Mongering In Security Marketing – What Is It and Why You Need To Learn To Spot It

A client sent us an email earlier in the week referring to an article posted by one of our “competitors”.

The question amounted to this:

“They’re saying they’ve ‘patched’ a known security vulnerability using their security plugin. Would Shield have protected us?”

This is a good question, and one that is perfectly natural after reading that article. We’ll answer this a little later on though, but by the time you get there, you’ll realise there are more important questions to ask first.

Be afraid, be very afraid!

We’re all running around with lizard brains wrapped up in highly evolved pre-frontal cortices. This means that, whether we’re aware of it or not, certain base emotions control us.

These base emotions exert a powerful force in our lives though most of the time we’re completely oblivious to it.

Fear: this is just one of these. And guess what? Fear sells. And marketers know it.

Imagine that we sell a security service (which we do). How can I get you to buy it?

There are many ways, but a solid approach is to build up fear, regularly, and then pitch our services as the antidote.

This is common and I see it almost every time I read an article on security – I’m amazed that it’s so blatant. But it sells…

How to spot fear-mongering in security articles

It’s easy to spot fear mongering once you become aware of it. The first place to start is to question the facts. Not necessarily whether they’re true or false, but to put a little more meat on the bones.

I use that article sent to me as an example. This is in no-way a dig at the author and/or their products. They’re great products. But I take issue with omission of key data, which leads to a flawed picture in the minds of the unsuspecting.

While there are many different types of readers, most of us want an answer to these simple questions: “Am I safe?” / “Am I ok?” / “If I’m not, what do I need to do?”

The article in question was discussing a vulnerability with a premium theme. They had noticed an increase in attacks lately. All this is perfectly fine. Until you do some investigation into the facts.

To do this, we have to start asking the right questions.

Some questions to determine whether a security article applies to you

Here are a few to kick us off:

• How can I determine whether this threat is applicable to me? i.e. what information do I need?
• Is this threat applicable to me?
• Was this threat applicable to me and is it any longer?
• If the threat applies to me, what do I need to do to remove the threat?
• Is that article offering a solution? If they are, is it their own and is it a paid solution?
• If it’s a paid solution, is theirs the only solution? Have they offered alternative approaches?

Unfortunately for that article, it fails at every single item here and this has lead us to write this article.

That original security article failed to outline, in any detail whatsoever, the specifics surrounding the original vulnerability. Here are some things that article in question left out:

• There was no link to the actual vulnerable item – the theme.
• There were no dates – e.g. the date that the vulnerability was published/detected/acknowledged etc. Any sort of date!
  – Simply linking to 3rd party sources for us to dig up this info isn’t sufficient.
• It didn’t state whether the vulnerability is patched or not.
  – It turns out, the vulnerability is already patched (this is a critical piece of data, because it practically negates the need for the entire article).
• It didn’t state the fact that the vulnerability was detected and patched well over 1 year previous to that article being published.

The reader is told none of these things, but is instead reassured of how the premium services can protect you and also your clean site up.

Unfortunately for the reader, their fear is ignited, and their fear response is in no-way alleviated. They aren’t told that if they’re running this theme on the latest version, they have nothing to worry about and don’t need a security plugin to help them.

Perhaps this is an oversight and it’ll be added in a later revision, but again, the primary purpose that most readers will read an article like this is to answer the question: “Am I okay?”

The #1 lesson from that article is …

The #1 most important piece of security advice that has ever been given, and is repeatedly given (but oddly lacking in that article) is:

Keep your WordPress, plugins, and themes, up-to-date.

If you followed this advice, you wouldn’t have needed any security plugins, free, premium or otherwise, to protect you in this case.

This holds true for premium plugins/themes as well as for free. The cost to patch is a fraction of the costs for repairing a hacked site.

Our #2 lesson from that article is …

We, here at iControlWP, can do a lot better than we have been doing.

You see, writing articles (re: content marketing) is important for promoting engagement and educating you, our fine readers, on issues that are important. Why would we do it? For two reasons:

1. To educate. As we work away we learn new things and feel it’s important to share them (as we’re doing right now). That way we all get smarter, more informed, and can make more sound decisions going forward.
2. Marketing. As you engage with us, learn what we’re about, and understand where we’re going and why we’re going there, you will see value, or not, in the services we offer. You may then, or not, decide to purchase our services. That’s a win for us and for you.

For fear of projecting an brand image of “fear-mongering marketing” of ourselves, we probably haven’t written nearly enough articles to educate our clients and our readers.

That’s our bad. We can certainly do better than that (though to be fair we’re improving more recently).

So could Shield have protected you?

Back to the original question: They’re saying they’ve “patched” a known security vulnerability using their security plugin. Would Shield have protected us?

The answer is, probably not, because the attack would be on a specific vulnerability. But if you’ve been paying attention, you’ll know that you wouldn’t have needed any security plugin. You would have just needed to update the theme over a year ago, when the patch was originally released.

Use the questions we outlined above to assess any information you receive.

The fact remains that we sell a security product, and in order to generate sales we need to educate clients on their need to protect themselves. Our aim should be to educate you, inform you of your risks, and offer a solution that is in response to the true risks involved.

However we decide to approach our marketing going forward, I can promise you that we’ll strive to inform and educate first, and scare the pants off you second. 😉