Autor: DPP

Are we fit for cyberwar? (1 / 3)

Many cyberattacks of the recent years were related to the media industry.

1.The Context

A few years ago cybersecurity would probably have been vying with Any Other Business for the bottom position on the agenda of most company board meetings. Now it is guaranteed a place right near the top. A major cyber attack can cost a CEO their job – and shareholders a fortune. And if one lists the most prominent and devastating attacks in recent years, many of them are related to media companies. The danger feels real and present. 

And that’s why almost every media industry conference and publication now devotes time and attention to cybersecurity. This much we all know. But has knowledge brought empowerment? In October 2017 the DPP launched its Committed to Security Programme. The Programme – developed with security professionals drawn from the DPP Membership – is designed to help suppliers demonstrate their commitment to security best practice. The goal is to create a common language for the discussion of security fundamentals in the media industry. As part of its security initiative the DPP, supported by CenturyLink, decided to conduct a health check on the industry’s fitness to fight the war on cybercrime. 

Interviews were conducted with senior executives with direct experience of security issues. They were asked to assess how ready the media industry is to do battle with day to day security threats. Their responses are summarised in this report.

2. Threat Awareness

What’s the Level of Risk

The media sector is now an attractive target for cyber attacks of all kinds – from malicious individuals who enjoy disrupting high profile shows; to organised criminals who are attracted to the value of content; to nation states aware that media is a way of conveying or distorting messages.
None of these threats should be surprising, given the pervasiveness of media in contemporary society. But even if most companies can appreciate the risks at a global level, many still find it difficult to believe they really apply to them.

“Everybody’s thinking that if they don’t own the formula to something as valuable as Coca-Cola, they’re kind of safe. We talk to company boards and they say it all the time: why would they want to come at us?”

The answer is: because it’s so easy.

“I started out as a penetration tester, so I have always seen the opportunities from a hacker’s perspective. And it’s become like the Wild West out there. Fifteen years ago you had to be an incredibly talented coder to write the applications that would really dissect some of the systems. But now you can have a powerful Internet connection and PC, go online for a couple of hours to learn how to use some hacking products and off you go. If you look at the biggest hacks to date, most have just taken advantage of patch releases, or someone opening an email they shouldn’t have, or picking up a USB that’s been planted. It’s not complex. What hackers have been doing is simply understanding and manipulating the human psyche.”

“There’s automated malware that cruises the Internet and looks for the open port on a production person’s laptop and goes ‘well look at this, you’re making a movie for HBO!’ Automated ‘drive by’ malware is killing the small and medium sized businesses that make up the media supply chain. These companies think no one is interested in them – but the only thing saving them is the fact that the hacker is usually busy doing something else. So it’s not that they didn’t get into your production server; you just haven’t been exploited.”

So does this industrialisation of hacking mean that, despite the fact security experts often talk of the workforce being the weakest link, external threats are greater than those that come from inside?

“The workplace tends to be vulnerable because it’s where most employees are based. And when you look at potential vulnerabilities, people rank pretty high on the list. But the variation and speed with which external attacks are happening is becoming more prevalent.
Breaches from within the workplace are probably the most painful. But the most frequent attacks are coming from the outside. We log fifteen to twenty million separate attacks per day on our platform globally. These attacks are mostly from web applications trying to steal information.”

These kind of statistics are shocking; and they may make the attempt to remain secure feel outfacing – particularly for the non expert customer. But just because the customer isn’t a security specialist doesn’t mean they shouldn’t be constantly challenging their suppliers to help them be better prepared.

“Tell them to come in and give a briefing on what they’re doing to protect you. Ask them what’s going on with other customers. What’s on the horizon? Then you can make better decisions on your security posture for the future.”

No company can ever be 100% secure; what really matters is the way it responds when it is breached.

“If I had to give one piece of advice it would be to focus on recovering from an attack, because an attack will happen. You have to be able to protect your brand and your reputation. The key thing is to be able to detect what has gone missing, contain it, keep your customers informed and prove that you are committed to security and did your best.”

In a number of recent high profile cyber attacks, the company that was the target of the attack made no public announcement until many months afterwards. It is still a common misconception that the best thing to do in the event of a breach is to keep it to yourself. None of our experts supported this approach.

“With a breach it’s important to be responsive. You don’t wait three months. You have to let your customers know immediately and tell them what you’re doing about it.”

How Does the Media Industry Compare?

In the view of these experts, the media sector has been relatively slow to appreciate the level of risk from cyber attack, in comparison to other industries.

“In the wake of the cyber attack on Sony, we met with major media corporations in New York and we were shocked by how much they knew about their lack of cybersecurity capabilities; and even more shocked that, despite the Sony breach, they weren’t motivated to do anything.”

“There are three phases of market maturity: the reactive phase, proactive phase and preventive phase. “
“The media industry generally is in the reactive phase. It’s just thinking about moving up into the proactive phase.”

A number of experts could see evidence emerging of this more proactive thinking.

“One dynamic we’ve seen in the last 12 to 18 months is a lot of organisations have come to us and said, hey, we’re thinking about either partnering with or acquiring an organisation; can you help us understand their security and the risks we could be taking on? This suggests to me organisations are becoming more aware of the risks posed by their supply chain.”

“We’ve seen a lot of ransomware attacks on production companies, and it’s changed their backup strategies. A lot of companies had file based backup because they couldn’t afford full disaster recovery (DR) solutions. Now our customers are moving to full DR solutions so that in the event of attack they can recover from a virtual server, and aren’t out of business for three days. That’s change.”

The point at which companies begin to understand the importance of security and the need to invest in it is when they realise security is not a technical issue.

“One time one of my guys joked ‘I don’t get it, you always seem to get money from the Chief Finance Officer.’ And I said, ‘well, the reason is I never title my presentation Cybersecurity Vulnerability; I title it How to Minimise Unintended Earnings Volatility. That they understand.’ You have to be able to convert what you do to shareholder value, and the enhancement of customer experience.”

But sometimes the measures required to make staff understand the true nature of the threat need to be more direct. The one way to convince people that a security breach really could happen, is to make it appear as if it just did – to them, personally.

“Sometimes I get a social engineer to work on my employees, using a fake Linkedin or Facebook account, fake job offers, planted malware, or an actor hired to subvert them. Always works. When it happens to them they get it.”
“Yes. We phish our own employees. We phish them.”

The Porous Supply Chain

The modern media supply chain is a complex ecosystem of different suppliers – all of different sizes and degrees of sophistication. It is a truism that a chain is only as strong as its weakest link; but it’s a truism that makes life especially difficult for major service providers who find themselves trying to hold that chain together. Such providers among our group of experts described themselves as an unwilling ‘point of compromise’ in the supplier ecosystem:

“As a service provider we have requirements from customers, and constraints from technology suppliers, and we sit right in the middle gluing all these different organisations together. We’re rarely in a position to dictate anything. We’re the one that really has to get all of these other guys to collaborate. It’s about understanding how we can enable others to work together as securely as possible.”

Perhaps the biggest frustration expressed by these experts was the way in which some of their customers willfully compromise the integrity of the rest of the supply chain.

“We had one content supplier who said ‘your password policy shall be X’. And they wouldn’t deal with us until we went back to this relatively old fashioned password policy. It’s equally very easy to get stuck with legacy technology that‘s been contractually mandated. You end up with something that’s rapidly becoming obsolete, is not patchable but that you have to manage. One reason we’ve enjoyed working with the DPP is because the creation of some centralised standards gives us a little bit more power to say  ‘we’ve gone through this industry wide process, so you should trust us.’ “
“We’ve got challenges where we have legacy equipment, built ten years ago when cybersecurity wasn’t what it is today. We have customers that tell us we must use such equipment and then when there’s a major cyber threat, they say, ‘oh you can’t patch now, we have to follow this change control process.’ Well the hacker isn’t following a change control process. So I end up speaking to the CEO and saying either you indemnify us, or you let us patch. There’s a chance the patch will take out the platform – but at least we’ll have done it ourselves, and we won’t have been hacked.”

What these stories demonstrate is that it’s important for customers and suppliers to be equally engaged so that if a major attack does happen there is at least a relationship in place. The trust has been established; and if one party says ‘we have to patch right now’ the other trusts them to go on and do it.

“We’re in a world where I would expect my customers to ask me how I am doing security for them – because it’s such a serious issue. It’s now like health and safety. Elsewhere in our business we’ve got high structures, andif we have a contractor who falls off one of those, my CEO can still go to jail. Cybersecurity is the same as health and safety in this day and age.”

Related Articles: