Sunday, February 26, 2023

Using AI for Content Marketing: Early Thoughts and Findings

I write for a living.

I am not now, nor ever will be, any kind of an expert in Artificial Intelligence (AI).

I write ad copy, technical documentation, and scripts for explainer content. I create infographics, edit videos, produce podcasts, and run the full content marketing gamut from social media to PPC advertising. I've been doing this for over 25 years, and I currently work in-house for a well know cybersecurity provider.

Since November last year, my output has changed dramatically; I’ve been using AI tools to support our content marketing efforts.

However, using AI is a bit like editing sound: You put shit in, you get shit out.


AI has come a long way in the last few months. No longer just words of caution from the pen of Heinlein or Gibson, AI can produce high-quality content virtually indistinguishable from that of flesh and blood writers. This is down to how one uses AI and how we create prompts (instructions) rather than a natural ability for AI to write in an approachable way. I hear a lot of people say that AI (I use the new ChatGPTPlus) is instantly recognizable because it talks in a passive voice. There’s an answer to this, as with pretty much all current gripes about AI textual output. Tell it not to.

Here’s an example of the most basic and first prompt I use in ChatGPT for creating text content for work:

“Please act as a B2B copywriter. You will write in a positive and active voice. Your copy will be <brand trait>, <brand trait>, and <brand trait>. It will also be original and innovative. It will be targeted at experienced <target persona> and <target persona>, and should be of genuine value to this audience. It will use terminology with which they are accustomed. Each article or post you write should contain sub-headings of major points, and bulleted lists of sub-points or actions. Please expand on any content with real-world examples and/or citation (as appropriate), providing URLs to further reading if possible. Please write in American English, and finish your writing with a fleuron.”

One can even afford a few affectations: Notice how I always say “please,” just in case it’ll spare me during the AI/robo uprising? I also ask for an indicator that the AI has finished writing because, in longer-form content, it’s necessary to type “please continue” to get past character limits, so I like to clearly know when it's come to an end.

I’d consider this the very basic of prompts and start every new chat with something along these lines. Then I go into what I want the AI to do after giving it its “mode of operation” and voice. “Create me an 800-word blog post worthy of Mordor,” etc. Usually, this will include additional instructions like SEO keywords I want it to cover, topics or solutions I want it to touch on or consider, specific industries I want it to research, or whatever. Yes, I do edit any output - pretty thoroughly. I insert more brand voice, add product value to blog posts on general topics, sprinkle in a bit of appropriate levity, add hyperlinks, further relevant information based on my general topic knowledge, I might play with the tense, add a bit more SEO glitter (if needed), and often whole paragraphs of additional content where the AI has inspired me to do so. I sometimes turn back to ChatGPT to “please expand on <blah>,” “please explain <technical term/concept>,” or “please rewrite this in <blah> number of characters,” and I’ll always fact-check any references, technical output, or legal standards that it provides. AI has become my collaborator and writing partner, and (right now) that's definitely the way to get the best results. If you’d like to see more prompts like the one above, I heartily recommend the splendid work of Maximilian Vogel, and there's tonnes of stuff on GitHub (including prompts for writing code, etc.). Remember, any copywriter won’t be able to give you what you want if the brief is poor, so learn how to prompt before you expect usable results. You can dip into anything written on the TrueFort blog since January to see some examples.

Also, try things like “Optimize <sentence> to 75 characters to use as a LinkedIn ad description,” "Please give me some ideas for blog posts targeted at <persona>, discussing their most important professional concerns,” or once it already has your traits and targets (and maybe even existing sample messaging) “Please create six attention-grabbing call-to-action messages, and buttons, for a landing page on <blah> where we want visitors to <action>." The functionality is only limited by your input. Even if it’s not immediately what you’re looking for, I guarantee some of the output will be a catalyst for other ideas. Seriously - go play - the basics are free, and my new “Plus” plan is only $20pcm. Plus is available during peak traffic (which seems to be all the time of late), has a much faster response speed, and I get priority access to new versions and features.

I’ve started using it in other ways to help my day-to-day, such as asking it to summarize a page of web content or “Please rewrite <text, or even a URL> in a more accessible or more targeted way.” I’d estimate that using ChatGPT is already saving me around two hours every day, and that’s valuable time I need to get my job done. As anyone in content marketing will testify, short of time travel or cloning, there can never be enough hours in the day. If the ROI of using a tool like this has a productivity saving of two or more hours on a writing day, and you show that ROI and the optimized output to your CMO, I guarantee they’ll find 20 bucks a month in their budget. Mine did.

In support of any output, I also run everything through Grammarly. Mainly to check I’m using American spelling (which doesn’t always come naturally) as I go along, and to check for duplicate online content for SEO purposes.

Already, I’m more inclined to use ChatGPT as a point of reference rather than Google, as I can ask it specific questions about, for example, controlling lateral movement and adopting zero trust best practices, rather than rely on Google pulling back other people's marketing content or, more annoyingly, my own. I’ve actually added a simple web link to my iPhone home screen.


Again, check out our blog. Every single header image (since November) has been generated with MidJourney

This text-to-picture artificial intelligence service empowers users to create art, from (virtually) photo-realistic to the work of Hieronymus Bosch, based on text descriptions. It’s far from intuitive to use, with a plethora of optional fields and seemingly zero instruction manual. It also uses Discord as an interface, so it’s all new unless you’re fourteen years old or an online gamer (which, thankfully, I am). I dipped into MidJourney a while ago to generate images for our online D&D games but soon ran out of the credits needed to make more artwork. A small investment, however, has meant my VTT players now have the perfect graphical representation of who or what I’m thinking.

More recently, I've begun to use this for work.

Putting this in the context of ROI again, MidJourney is $8 a month and takes me 30 seconds to get what I need (content, aspect ratio, angle, depth of field, etc.). In contrast, Shutterstock is $19 a month, takes at least 20 minutes to find what I need, and that will invariably be a compromise. UnSplash and Pixabay have limited assets - and are even worse time vampires. MidJourney is the very definition of disruptive innovation.

For the imagery on our blog, I augment the results with Photoshop to get that distinctive duotone that is our ongoing brand style, but otherwise, the output is perfect. We use a lot of perspectives and patterns in our imagery, and it replicates and topic in this style seamlessly. I’ve also used it in other ways, such as asking for suggestions for convention badges and custom art for mood boards (after uploading our logo and existing brand imagery) or asking it to suggest layouts for infographics.

Learning how to prompt isn’t immediately intuitive, and at first, I had to trawl around forums and communities, hoping someone would throw me a bone. I found the work of Lars Nielsen, Kris Kashtanova, and Guy Parsons very helpful. MidJourney will also test your visual chops above and beyond the subject matter itself, and I've found that my experience with photography, graphic design, and film work has helped a lot in creating prompts. It responds best to camera directions (symmetrical, low-angle, full-body shot, cinematic still shot, etc.), art movements (minimalist, film-noir, brutalist, pop art, etc.), F/stops, lighting types, and styles of photography (landscape, underwater, tilt-shift, still life, etc.). It even responds to prompts detailing the different types of camera you want to replicate (Nikon D850, disposable camera, Polaroid, Canon EOS R, etc.) with added lens types (telephoto, wide-angle, 85mm, neutral density filter, etc.). You also try directors in the prompt, such as “in the style of Sergio Leone” or “in the style of Wong Kar Wai” for that elusive mise-en-scène, so that quinquennial paying off loans from film school might have been worth it after all.


AI video is still in its infancy, but it’ll probably be as early as 2024 when we start to see script-to-explainer video content hit the market. Text to AI-voice and AI audio leveling/editing are already commonplace. I expect us to see a lot of content support-specific AIs turning up in the next few months as the industry realizes the potential and the developers who were victims in the recent spate of Silicon Valley redundancies get to grips with the associated APIs. Expect a crop of low-budget filler, but watch out for the unexpected coming from home developers - building their own Jarvis on any old skip-scrounged kit that’ll run Python. 

Also, expect some serious low-quality copy and a fall in news standards in the form of “black hat journalism.” It’s a simple matter of linking a few APIs to automatically write and publish magazine-style content to a cobbled-together portal for skimming off those referral link dollars. Without good prompting and some appropriate manual editing, we’re going to see some mediocre bollocks that’ll put a black mark on AI's journalistic copybook - and the real press will (justifiably) rush to point fingers and scoff.

Quality content is king. Google has already made a statement about this, but clearly says it has no problem with AI if the copy is of genuine value and will “reward high-quality content, however it is produced.”

Nation-state bad actors and hacktivist are going to ride ChatGPT like a pony, all the way down the misinformation highway to QAnonville. Now anyone can write copy and code, at volume, and the code side of AI functionality is bound to grow even faster as code writes codes. Brace for automated factual disruption on a Brobdingnagian scale. Throw in a couple of Deepfakes, and the 2024 US election is going to be a disinformation masterclass.

Obligatory call to action

Honestly, I think our industry needs to get on board, or we’ll be left on the dock.

I’m not saying human-generated content is dead, far from it, but a human/AI collaboration in a business environment feels productive, and creative, and it’s already happening.

We should look at AI now and consider how it can make what we do more efficient. It’s the copywriters, PR peeps, and content creators who don’t take an interest and don’t integrate AI into their workloads who will find themselves on the sidelines in favor of the people who do. I have a couple of extra hours of additional capacity a day because I know how to use the tools; why would you give my job to someone who doesn’t? Have we reached the point where we should be sharing the by-line with an AI? No, not yet, but I bet we're only a year away from Elon trying to charge us for a tick to prove we're flesh and blood. Expect "prompting" (or whatever they'll call it) to become a part of media courses in the very near future, but those joining University courses in '23 may well be training for jobs that won't exist when they graduate. Things are moving fast, the ball is already rolling, and we can’t stand by like print journalism once did, denying the inevitable.

Monday, August 30, 2021

The Post-Brexit Future of UK Digital Data Standards and GDPR.

I spend a lot of time researching and writing about cybersecurity and the digital landscape. It's become increasingly apparent that, in the aftermath of Brexit, the UK is embarking upon interesting and challenging times regarding data security. 

Compliance, in particular, will be a key issue in the months to come. In June 2021 the UK was awarded two adequacy decisions - one under the
General Data Protection Regulation (GDPR) and the other with reference to the EU Law Enforcement Directive. These decisions allow for the free flow of personal data to and from the European Union and the UK. Further, the UK currently benefits from an (essentially) equivalent level of protection to that which is guaranteed under EU law. In light of this, the UK must be cautious regarding any changes to its current data regime in order to avoid disrupting the EU-UK adequacy decision (if it wishes to maintain the benefits of this status in the future). The EU’s official approval of the UK’s data standards is vital for many businesses that operate across borders (notably in Ireland/Northern Ireland) and around the world, where the frictionless movement of personal data is critical to international trade and operations.

In a recent announcement regarding the UK government’s plans to reform its data laws, Oliver Dowden CBE (currently serving as Secretary of State for my old employer the Dept. of Digital, Culture, Media, and Sport) stated, “It means reforming our own data laws so that they’re based on common sense, not box-ticking”, and that the UK will aim to reduce “unnecessary barriers and burdens” to sharing data with non-EU countries, including the United States and South Korea. As a part of its digital renovation, the UK has further confirmed plans to boost the legal status of digital identities - to make them as widely recognized as driver’s licenses and bank statements.

In reply, EU Commission spokesperson for Rule of Law, Christian Wigand, commented that the EU will be closely monitoring any changes in UK data law, adding that: “In case of problematic developments that negatively affect the level of protection found adequate, the adequacy decision can be suspended, terminated or amended, at any time by the Commission.”

The UK government has further made it known that it is conducting a public consultation on its new, post-Brexit, data protection practices. Whether this will mean that England, Scotland, Wales, and Northern Ireland might move away from the UK General Data Protection Regulation is currently unclear, though many other countries appear keen to follow the basic principles of EU GDPR as a framework for data standards in order to facilitate the flow of international business data. Oliver Dowden, on behalf of the UK government, has further announced that their preferred candidate for future Information Commissioner, head of the UK data protection regulator, will be John Edwards, who is currently Privacy Commissioner (OPC) for New Zealand, a country that also holds a working adequacy decision with the EU - possibly implying a wary approach to ongoing adequacy compliance.

There will certainly be a balance to be achieved if the UK wishes to maintain business and consumer trust, on which the growth of their post-Brexit digital economy will depend, and if they also wish to be seen to cater to some of the more flexible and emerging digital markets. For now, things will remain as they are, but it's part of my job to keep a very close eye on developments and I'll report and react accordingly. Watch this space.

Sunday, July 11, 2021

Ransomware: To pay or not to pay?

If your company is the victim of a ransomware attack, should you pay your attacker? This one caused a bit of controversy when I wrote this for work, so I'm posting it here under the umbrella of "my personal opinion - on your own head be your final choice in this matter - don't sue me."

This isn’t an easy question to answer. It’s one thing to say “No, never pay a ransom”, but it’s another thing entirely to stare at the flashing lights of a data encryption hijack, with no immediate way of recovering essential data and your payment records and invoicing system crippled by malware. People do pay the ransom to release their files, but should they?

In July 2020 the US business travel management company CWT Global handed over an impressive US$4.5 million in bitcoin during a ransomware attack – setting a new ransomware payment record. Not really the sort of claim to fame that a company wants.

Reasons not to pay.

In October 2020 the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) released an advisory that paying ransomware ransom is now illegal, and people and companies can be fined for making payments to sanctioned hackers. Many other international law-enforcement agencies are considering similar actions, and are encouraging victims not to pay. Paying ransoms, however, is still technically not illegal in most of the world. So far we’ve not seen any evidence of enforcement of the advisory, but watch this space - It’s going to be tricky to explain to the IRS why you had to spend US$220,000 on bitcoin and where it went.

Paying a ransom encourages criminals into further criminal activity. Crime only pays if the victims pay. The more companies and individuals who pay, the more it encourages new black-hat hackers to enter the ransomware arena and launch attacks against other companies – or even a repeat attack against your company. If victims stand together and don’t pay, bad actors have no recourse other than to pack up their laptops and shuffle back to their dark web newsgroups. Is it better PR to stand firm and refuse to be bullied, standing with your fellow victims and promoting ransomware prevention best practices, than to look weak by paying for a company mistake? Very probably, and you don’t want to be seen as a target for other malware in the future.

It’s estimated that last year, over half of ransomware victims paid the ransom to restore access to their data. If your data is encrypted, the only way to reset the clock is with the hackers’ decryption key. It’s further estimated that around 20% of these people never heard anything else from their ransomers and their data stayed locked without them receiving any unlock code – essentially paying for nothing. While the percentage of organizations that recovered their data has increased, from 49% to 72% over the last 3 years [Cybersdefence Report, 2021], black hat hackers and the systems they use aren’t to be trusted. There is no guarantee of getting your data back. Hackers have also been known to further leak sensitive data for further financial rewards, regardless of payment.

Prevention is better than cure.

The average ransomware payment increased by 43% this year, to approximately US$220,000, and a company is hit by a ransomware attack every 11 seconds. There are a few cost-effective areas of preventative action that can be taken.

54% of all ransomware breaches begin with a phishing email. Digitally screen all mail, but also educate yourself and train your team on the different tactics behind a phishing attack. There are many ways hackers might attempt to fool your staff into granting them access to your network. Try running an internal simulated phishing attack across your company to get stakeholders familiar with your reporting processes and the sort of attacks they might see. Check my article, here, on how to do so. Discourage staff from visiting unapproved websites, and physically block staff from sites that have the potential to distribute malware.

Do you have a tried and tested disaster recovery plan? You should. Ransomware attacks should only be a part of this. What would you do if the phones went down? If you had a flood in the building? Or if your website was hacked? Your team needs to know the plan, who needs to do what, and what they need to do. Make sure stakeholders have a printed copy of this – there’s no point in having an encrypted disaster recovery plan in the event of a ransomware demand.

What do you do on Tuesdays? You patch. A regular and thorough software/OS patch management routine is important preventative maintenance critical for keeping machines up-to-date, stable, and safe from malware and other threats. ABP:
Always Be Patching. 

It's good practice for IT departments to back up company data regularly and securely, off-site. While this is by no means guaranteed, as some ransomware software has been seen to attack even (supposedly air-gapped) backed up files, it can be a help in some cases – though probably not for long as bots get more savvy and bad actors to have the time and resources to develop more sophisticated programs. Coding elements for following data to its backup resources are available for purchase on the dark web, and the black hat hacker community is not to be underestimated.

Install an anti-virus or web application firewall (WAF), Intrusion Prevention / Intrusion Detection Systems (IPS/IDS), and other controls to prevent ransomware from communicating with Command & Control centers. Cyber attackers “will penetrate the organization’s network and stay for months, sometimes years” prior to encryption, and this is the time they are vulnerable to detection and where you can prevent an attack before it happens. Also, invest in runtime application self-protection (RASP) to have protection against those known and zero-day attacks that patching may miss. Protecting with 2FA can also bolster your security posture.

Save time, stress, and tens of thousands of dollars

An attack at some point is statistically inevitable, with an all-time high of 69% of organizations having been victimized by ransomware in 2021, so spend a fraction of what you could lose on preventative measures and not on paying criminals. A small investment in time, effort, and funds right now are better than chaos later.

Tuesday, May 04, 2021

Hacking the Death Star: Imperial Cybersecurity 101.

Jokes about brute ‘Force‘ attacks aside, if we were rebel scum how would we hack the galaxies’ most secure data centre?

Today is May 4th, the traditional day for celebrating one of the greatest franchises in movie history. As such, and having a geek streak a parsec wide, we thought (at work) that it’d be fun to set ourselves a challenge. I'm an avid and weekly Star Wars RP player (Savage Worlds system - Pew Pew), so how could we plan and execute an attack against The Death Star, the galaxies’ premier evil planetoid and residential superlaser? Not wanting to get in hassle for publishing this on a company website - cease-and-desist from Disney is never a good way to start the month - I'm publishing it here.

To begin with, we’ve got to exercise our geek muscles and actually look at the Star Wars universe for clues. Hacking is known as ‘slicing’ in the Star Wars universe. Yes, I'm going to do this properly and take this way too seriously.

If there’s one thing that the films Rogue One, New Hope, and RotJ taught us, it’s that Imperial files are woefully unencrypted. No 2FA, no 32-bit encryption, just sitting there on a data stick waiting to get left on a seat in a cantina or on the number 13 transport. The files themselves aren’t going to be a problem. There’s no wi-fi in the Star Wars universe – a concept unimaginable to Mr. Lucas in 1977. Secure messages are run around the Death Star corridors by toaster-looking robots (MSE-series ‘mouse’ droids) and held on ‘code cylinders’ peeking from the top pockets of classically-trained English actors. 

Datacards store and transfer data to and from datapads in the same way floppy disks and USB flash drives are/were used with computers – R2-D2 carried a Datacard with the first Death Star plans on it, given to him by Leia Solo (née: Organa, actually née Leia Amidala Skywalker) at the Battle of Tatooine.

DataCore’s are repositories of bulk information, but there appears to be little connection to them from the outside world – and as such may be air-gapped and therefore the most ‘secure’ element of the Imperial data security policy (though criminally inaccessible to off-site teams). The only cloud in which the Empire work is probably Bespin.

Data can be transmitted, however, to a ship in orbit or to another secure location – though this seems to require aligning transmission dishes, further family appropriate drama, and considerable personal sacrifice that’s best avoided.

There is also the HoloNet, as mentioned in Clone Wars and featured in SW Rebels, which appears to be an Imperial controlled broadcast network that also lets citizens look up information akin to Wikipedia and with websites, etc.

Apart from ‘radio’ communications and transmissions, it appears that everything requires physically plugging into a wall socket. It’s all quite primitive, actually, and does seem to leave the Empire prone to any Datacard or grubby R2-unit with a virus on it.

Now that we’ve set the scene we can lay out a plan, hopefully without the untimely demise of too many Bothans, using the knowledge of cybersecurity (edge, application and data) that I've crammed into my brain as ongoing writer and content creator for one of the world's largest cybersecurity providers.


Most Imperial staff aren’t the sharpest tools in the woodshed. Stormtroopers, the foot soldiers of the Galactic Empire, even less so. Transmitting a ‘secure’ message containing malicious code, waiting for an unsuspecting Imperial trooper to click on the latest specs in an advert for the BT-16 perimeter droid - they say it's quite a thing to see - seems a solid approach to introduce malicious code into the network: “Send us 20,000 Galactic Credits to unlock your files and data!” If only The Empire had anti-phishing training as part of their HR policy.

Imperial offices seem to have a substantially higher IQ, though the path to career progression seems somewhat unforgiving. We can, however, assume that the most intelligent, shrewd, and (possibly) security-conscious make it to Moff without being shot by the plucky proletariat or choked to death by their line manager.

These officers are better trained and unlikely to click on phishing emails. It’s possible any attack could come from within, however. Disgruntled or previous employees, perhaps now seeing the error of their ways, with legacy security codes (”It’s an older code, but it checks out”) and with default access to parts of the DataCore that may contain information inappropriate for their access level. It would be simple for such individuals to leave with classified documents (Mon Mothma herself was a former Galactic Republic Senator) or sabotage important data (like Galen Erso in Rogue One). If only The Empire had data risk analytics.

In any large organization, it’s likely that developers will use 3rd-party code, especially when on a tight deadline like the building of the second Death Star. Sometimes this leaves security teams out-of-the-loop and leaves a blind spot, making it hard for Imperial Security Officers to monitor all dependencies. It’s likely that Imperial dev teams will utilize reusable software components, developed to be either freely distributed or sold by an entity other than the original (Genosian) vendor, to design the likes of landing bay forcefield controls or even planetoid propulsion systems. This means there may be code making calls outside of the secure network – which is a nightmare for regulatory compliance and for possible interference from malicious Rebellion clients. If only The Empire had runtime self-protection. 

Malicious code can do anything any other program can do, like writing a warning message on a screen, stopping a trash compactor program from running, setting off a claxon, or making millions of voices suddenly cry out in terror as their planet is evaporated… Without database security, it may be possible to piggyback malicious code on, for example, supply chain code or outdated security cyphers from a Lambda Shuttle requiring permission to enter the atmosphere of the forest moon of Endor. It may be introduced by an inquisitive Astromech droid, recently arrived from some back-water hive of scum and villainy, careless about where they put their malicious dongle. Malicious code could go undetected on infected Imperial systems, quietly monitoring applications and any outbound connections. Once critical information is stolen, such as personnel information, plans, or passwords, the information could then be transmitted to any attacking ground force (for example).

We can safely assume that the Death Star has a HoloNet presence, for propaganda (and possible recruitment) purposes at least - perhaps with a contractor login area. If it doesn’t it’s a tragically missed opportunity by the Galactic Empire Public Relations department (yes, that’s actually a thing). If it does then it’s going to be a prime target for attack by Rebellion slicers, who could easily use a denial of service attack - utilizing the thousands of droids, vehicles, and apps out there in the Star Wars universe to bombard the Death Star HoloNet pages with thousands of requests. This would overload the HoloNet site, crashing it or making it run slowly so that it becomes unusable and ruins the experience for normal citizens. A bit of DDoS protection wouldn't go amiss here.

One can assume the Empire has a backup plan in place against any malicious attack – unlike the Jedi who managed to lose an entire planet and appear to have no alternative storage or rollback capability. Regardless, any of the above assaults would make for unwanted disruption and embarrassment, legal issues, downtime, and a very angry Sith Lord that could be easily avoided with the right precautions. We had a lot of fun writing this.

Here’s wishing you and yours a very happy May 4th. May the odds be in your favour and may the Force be with you. Always.

Big thanks to Imperva for letting me write this in work time.

Monday, March 01, 2021

The Current State of Play

This blog has become like a bidet - seldom used, and when it is used it's not for the purpose it was intended. Life in Ireland, despite Covid, has become busy. For the past 4-months I've been power-learning a new subject: Cybersecurity.

If you follow me on Twitter you'll know that I'm somewhat password paranoid, having spent an evening at the start of Lockdown 1 investigating the fringes of the Dark Web and having found my own email address and password for sale c/o a hack on my domain name provider. Sobering.

I now work for a cybersecurity software firm full time as Content Marketing Manager. This isn't a product-specific role (application security, cloud, bot, edge, whatever) like the bulk of our marketing team, but rather about creating graphical, written, video and audio content for our sales teams, customers, prospects and campaigns. This includes brand and content strategy, including social, obviously. It's interesting, uses my full skillset, and right up my street.

It's a steep product learning curve, but it's a ground-breaking company with an excellent product offering. Our new UK offices are based in Belfast, but I'm working from home in Omagh right now and the 'new normal' means location isn't a factor any more. My colleagues are awesome and it's solid and stable stuff, which counts for a lot these days. I'm feelin' like I'll be happy here indefinitely.

Northern Ireland is being very kind to me and I've no plans to return to England. I'm house hunting around Gortin, Omagh and Newtownstewart, in Co. Tyrone, for something I can turn into an AirBnB or B&B in my dotage. Fingers crossed, pending surveys and mortgage shenanigans, I hope to be in somewhere by late-spring. 

My sweary Who fan podcast has had a revival, which has been fun. VTT games have replaced table-top, such is the way of things, but I'm still playing and reffing a couple of nights a week. It's a social luxury I know many people don't have and I'm always grateful for the company of good friends - back to back against the darkness. Not a lot of space here for model-making and painting, but I hope to resolve that when I move. There are other projects in the works.

No promises on any regular blog updates - life is busy. Time to shed a few Covid inches, brush up on my Premiere Pro, and embrace the DIY.

Wednesday, September 23, 2020

How to use Google Shopping to get Local Sales.

Google changed the game today, making its Google Shopping tool the daddy for retail SMEs and businesses selling locally.

When people search for things these are the pictures that appear at the top of the search results and link through to retailers sites and points of purchase. Google Shopping compares prices, etc., but now it also adds local retailers on a map and highlights who's closest to you.

Searchers can navigate to the Shopping tab, click the 'nearby' filter, and voila. They can also, and this is a far more common way of searching, add the phrase “near me” or “nearby” after whatever it is they're looking for and get localised 'crap on a map'. Brilliant for mobile searches and more and more important in modern times when people are shopping more and more locally and provenance and 'food miles' are more valued by future customers.

This is great, but actually getting your products onto Google Shopping just got super important and it's a bit of a hidden art. Here's how to get your business up and running in a few easy steps, with just an afternoon of playing in Photoshop and fiddling with your product data (depending on how many products you've got, obviously).

Step 1 - Join Google Merchant Centre.

Adding products and the whole process is done here. It's actually a pretty simple interface and this is where you add your products. Managing shopping campaigns is done through Google Ads, because they want your ad dollars, but more on that in due course.

Step 2 - It's all about the visuals, and I really can't stress this enough. Have nice imagery or die trying. Google Shopping is a visual experience, like Pinterest for bargain hunters, and this is what's going to make your artisan bath products, widgets and spares, Danish home office furniture, local history DVDs, value veg boxes, or reproduction whatever stand out from the crowd.

Google Shopping uses the images on your website to 'create' listings, so it's these images that you need to fluff appropriately for the platform. Google has it's own image guidelines which are well worth following - give them what they want, Google knows best. You will have to consider this during photography as well. A basic guide is:

  • Use even and clear lighting. For small stuff, you should probably invest in a light tent and a couple of teeny spots. They're buttons on eBay and some traders offer custom kits just for this purpose. A YouTube video later you'll have all the skills you need to use it properly.
  • If it's something like clothing show it in situ. People buy clothes more if they see them 'on body'.
  • Avoid overly complicated and madly coloured backgrounds. Go for white, plain grey or anything light. Keeping the product up-front and clear makes Google happy.
  • Show what you're selling at the right scale - it should be around 90% to 75% of the total image. You're not selling set dressing. Keep the product dominant.
  • No major image additions like watermarks, dissolves, blur, fancy frilly borders or whatever. Keep it super simple.

Step 3 - Set up your feeds.

With everything ready to rock it's time to get busy with Google Merchant Centre.

Next, click on Products > Feeds, and then on the blue “+” icon. Add your country and native language so that Google knows which initial demographics are going to see your wares. There's no point me going over all the particulars of how to do this when so many others already have - Google itself has a really good section on this, here. Just make sure all your input fields are full.

Step 4 - Link this account to your Google adword account.

Yes, they want your money. Google Shopping, like liberty, is not free.

At the top right-hand corner in your Mechant centre click on the three vertical dots, then click 'Account linking'. If you've not got an AdWords account, you can make one from here. If you have,  click on 'Link account' and enter AdWords customer ID. If you need to know where this is sign in to your Google Ads account then click the help icon at the top right corner - you'll find your 'Customer ID' at the bottom of the menu. Sorted.

Step 5 - Create a campaign.

In your Merchant Center account you should then be able to click on 'Create Shopping Campaign'.

Give it a campaign name, a location and daily budget. When you press 'Create' you’ll be asked to carry on via your Google AdWords. You can also do this directly in AdWords if you like, just open your Campaigns tab (on the left) and click that blue “+” icon, than pick 'New campaign'.

Again, Google has a really painless how-to on the topic, here, which will save me waxing lyrical.

Step 6 - Place some bids on your Shoping campaign.

In settings, you’re asked to select a bidding strategy and set a campaign budget. Go on. Spend some money. Google has a Bid Simulator Tool that's actually quite a lot of help here, and shows how any changes will impact on your ad performance. This gets pretty involved when you're trying to get the best bang for your buck, but there's some good tips here.

Step 7 - Targeting and scheduling.

More important stuff. Pick the places you want your ad to target, but be sure to only target places you ship to or where you're actually located.

You can change the Target and Exclude settings under 'Under Location', but the default's usually good enough. This going to be especially important for the new map settings to get folks ready to come in-store to pick up that bargain today.

Next set the start and end dates of the campaign. Rocket science it ain't. 

Step 8 - Create Ad Groups.

The final step is to create campaign ad groups. It's these that determine what sort of ads are going to be run and how you’ll organise the bids for them.

There's a couple of types - Showcase Shopping (multiple items as part of a sort of catalogue style ad that showcases your overall business, working on cost per engagement) and Product Shopping ads (for a single product, working on cost per click).

Click 'Save' and you've made your first ad. It's actually surprisingly simple.

It takes a bit of time and fiddling to get the best out of Google Shopping, but it's well worth the effort if you ahev a sutable product type - especially now it's local. The Ads work connect sellers and buyers in a unique and efficient way, right at the top of the search results if your bid is strong enough. It's compaetative, but a good solid place for ad spend dollare, especially now it's rolled out it's new map functionality.

I recommend having a play. Highly. There's a tonne of Google Shopping tutorials out there, especially on YouTube, and rally no need to seek a pro-tool or agency help.