5 cybersecurity tips for content people
No one got into content for this... but boy do we need it. As a new course goes live, One Further founder Chris Unitt shares his need-to-knows about staying safe online.
A little while ago, I started putting together a cybersecurity course for marketing and digital teams in the arts.
Not because I'm a security expert or anything, but because I kept seeing things that made me wince. The same passwords reused everywhere. Login details shared in plain text or kept in spreadsheets. Weird apps granted full access to Instagram accounts.
Meanwhile, every few weeks, I’d hear another story about a museum or theatre taking a system offline because of a data breach, or dealing with a hijacked social account.
My company recently went through the process for Cyber Essentials certification, which brought a lot of things into sharper focus, but it occurred to me that there was nothing particularly tailored to the sector we work with. So I did a bit more delving and put a short course together.
Here are five things I’ve learned along the way.
1. You’re a target because you’re good at your job
Marketing and digital teams in cultural organisations tend to have access to everything:
Social accounts with lots of followers
Email platforms connected to your entire audience database
CRMs full of supporter information
Payment systems
Websites that people are very keen to buy things from
That access is exactly what attackers want. And because marketing people are trained to be responsive, helpful, and fast – to jump on urgent requests, to get things done – we’re often easier to manipulate than someone in finance who’s been trained to question every invoice.
Most hacking incidents don’t start with anything sophisticated. They start with someone clicking a link because it looked legit, and they were busy. That’s not a personal failing. It’s just something that can happen.
2. Urgency is almost always a red flag
If there’s one thing I want everyone to take away, it’s this: urgency is a manipulation tactic.
“Your account will be suspended in 24 hours.” “The CEO needs this transferred immediately.” “We need you to verify your login right now or lose access.”
There’s a simple rule:
if something is trying to rush you, it’s probably trying to trick you.
Real platform warnings give you time. Real colleagues can wait five minutes while you verify through a different channel. Real emergencies of this sort are vanishingly rare.
The moment something feels urgent and slightly off, that’s your cue to slow down, not speed up. Pick up the phone. Send a separate message. Check the actual platform directly rather than clicking the link in the email.
I’ve started thinking of it as a simple rule: if it’s trying to rush you, it’s probably trying to trick you.
3. Your suppliers are your problem too
When a freelancer or agency gets compromised, you get compromised.
Think about everyone who has access to your organisation’s digital accounts. The social media freelancer. The design agency. The PR consultant. The developer who set up your website three years ago and still has admin rights because nobody thought to remove them.
Apply the principle of least privilege: give people access to what they need, for as long as they need it, and no more.
Each of those connections is a potential way in. And if something goes wrong through one of their accounts, it’s your organisation’s name in the headlines, not theirs.
It’s worth asking: who has access to what? Do they still need it? What happens when the project ends?
The principle of least privilege sounds very IT, but in practice, it just means that you give people access to what they need, for as long as they need it, and no more.
4. Two-factor authentication is the bare minimum
I know, I know. Everyone bangs on about two-factor authentication. But the reason everyone bangs on about it is because it works, and because a surprising number of people still haven’t turned it on for their work accounts.
If your organisation’s Instagram account only requires a password to access, and that password is shared in a spreadsheet or a Slack channel, you are one successful phishing email away from losing control of it entirely.
Two-factor authentication means that even if someone steals your password, they still can’t get in without your phone. It’s not perfect, but it’s the single most effective thing you can do to protect your accounts.
5. Training isn’t just about prevention, but showing you did what you could
Obviously, the point of cybersecurity training is to prevent incidents. But also, if something does go wrong, you’ll want to show you’d done what you could to avoid it.
If an account gets compromised because someone clicked a dodgy link, the first question will be: did they know not to? Had anyone ever actually told them what to look out for? Or what to do if a mistake slips through?
It’s not about blame. It’s about being able to demonstrate – to your boss, your board, or your insurers – that you’d provided proper guidance and your team had received proper training.
Think of it like a risk assessment or a safeguarding policy. It’s a bit dull. You hope you never need it. But if something does happen, you’ll be very glad you can show you’d done the right thing.
The boring truth
Chances are, if you ever suffer something like this, it won’t have been a sophisticated attack by nation-state hackers. And if you avoid being hacked, it’ll be because you have the right habits, judgment, and confidence to pause and check when something feels wrong.
The good news is that you don’t need to become a security expert. You just need to know what the common threats look like, what good practice actually means in your specific context, and what to do when something goes sideways.
Want some training?
That’s why I’ve been building a course specifically for people in roles like ours – practical, jargon-free, focused on the actual tools and situations that arts marketers are likely to encounter. You even get a certificate to show off.
If that sounds useful, you can find the course here: Cybersecurity for Arts Marketers.
And if you’re quick, you can get it for free using the code ‘CULTURALCONTENT’.
It’s part of the Coach: All Access bundle, which includes training on Google Analytics, Google Ad Grants, Meta Ads, and more (including monthly live sessions).
Great advice for staying safe online. I'll be sharing this with my clients.