Elad Shapira provides valuable guidance on how media companies can feel more secure about their cybersecurity.
It’s not surprising that media companies aren’t confident about their security levels. In fact, media companies are an ongoing target – be it by political activists, nation states (as in the cases of attacks against The NY Times and Sony Pictures), or even just hackers trying to leverage their skills to make money from the content they steal (as in the case of Netflix). Even the video-gaming industry is a target, as Steam has publicly acknowledged in the past.
To increase their security confidence level, media companies need to follow these steps:
1. Discover assets. Sometimes it may just be that an employee fired up a server to upload certain content for testing, not considering how to secure the server. In another scenario, there might a long forgotten, not updated or patched online server.
2. Map and prioritize the business impact of assets. Not all assets are created equal. An online release of a video prior to its debut screening may create reputational and financial damage to a company. Credit card details of subscribers are under regulatory control. Each company needs to consider its assets and their business effect on the company.
3. Place safety measures around these assets. Safety measures should span various levels, including network and IT (say, to prevent a DDoS attack) and the application (e.g., to avoid hacking to gamer accounts). It’s important to even consider the human aspects; for example, avoiding the case of a disgruntled employee exposing sensitive and proprietary data.
4. Create an incident response plan. This is not just a technological approach, but a step that must also involve various teams and processes. In case of an attack against the company, there should be an advanced and thought-out plan to handle the attack. The security team needs to investigate the alerts and reach the technological origin of the attack. The IT team needs to help restore any lost content or back up new data. The PR legal teams need to enter “crisis management” mode and be ready to respond.
5. Continuously monitor the assets. It’s not enough to simply put in place security measures and then just forget their existence. Company assets need to be continuously monitored – to ensure that the servers are continually hardened, that vulnerabilities are patched in a timely manner, security tools are correctly configured and that no asset is mistakenly and suddenly revealed on the Internet. With each change to the security posture of the company, the security team should be alerted and be able to deal with it according to the incident response plan they put in place.
6. Don’t forget the suppliers! Throughout all the steps, it must be assumed that the company’s assets include the company’s suppliers. For example, the company’s legal firm holds information regarding an upcoming acquisition or M&A; the PR firm holds information regarding the upcoming release of a movie; contractors may have advance access to the cover page of the next released magazine; or an outsourcing video production rendering company holds the source code to the latest animated film. All these suppliers pose a financial and reputational risk to the media company. As with previous steps, the company needs to determine the business risk that the supplier poses to the company and take the right measures to continuously reduce that risk. Such measures may include monitoring and restricting suppliers' access to a need-to-know and when-to-know basis, demanding endpoint protection on contractor’s devices, and even requesting background checks for highly sensitive contractors.