Worst Practices in Cybersecurity

Three Things Every News Media Executive Needs to Know

News media websites continue to be prime targets for cyber-attacks. Earlier this month, The Washington Post’s mobile site was hacked by a group claiming to be part of the Syrian Electronic Army. The attack lasted about 30 minutes, and visitors to some section fronts saw messages that said “The media is always lying” before being redirected to a Syrian Electronic Army website.

Last month, cyber-terrorists attacked Al Ittihad, the website of the oldest newspaper in the United Arab Emirates. In February, the website of The Suburban, a weekly English-language Montreal newspaper was hacked. A few days later, The Jewish Press, an independent website and weekly newspaper in New York was also hacked. In September of last year, Politica Estadao, a Brazilian political newspaper website was compromised with a vicious malware attack. And, for half a day in August 2013, the New York Times and The Washington Post websites were brought down again by the Syrian Electronic Army, a group claiming to support the regime of Syrian President Bashar al-Assad.

The problem is global, it’s pervasive, and it’s impacting media companies large and small.

Yet, in a recent RAM (Research and Analysis of Media) survey conducted at the 2015 International News Media Association World Congress, cybersecurity was not mentioned once as an “Absolutely Critical Priority” or even as a “Very Important Issue” by any of the 285 news media executives surveyed.

Worst Practice #1: Underestimating the importance of cybersecurity for news media companies

According to a global PwC study, the number of detected cyber-attacks rose 48 percent between 2013 and 2014, a figure that grew steadily in 2015, with more than 100,000 breaches taking place every day.

The problem is especially acute in industries like ours. Earlier this year, a Joint Intelligence Bulletin of the FBI and the Department of Homeland Security warned, “The hackers who infiltrated Sony Pictures Entertainment’s computer servers have threatened to attack an American news media organization … The threat against the unnamed news organization by the Guardians of Peace may extend to other such organizations in the near future.”

Worst Practice #2: Assuming your firewall, ISP, data center, or hosting provider will automatically protect you from cyber-attacks

News media companies are especially vulnerable to Distributed Denial of Service (DDoS) attacks. A DDoS is an attack involving tens, hundreds or thousands of infected computers – called botnets – that concurrently overwhelm a company’s servers and stop legitimate users from being able to access online applications.

A 2014 Survey of Global IT Security Risks conducted by international software research group Kaspersky Lab found that 42% of media companies around the world experienced some form of DDoS attack in the last 12 months. The same study found that only 38% of media companies surveyed were actively taking DDoS countermeasures.

Cyber-attackers are using DDoS to target corporate media enterprises, hosting providers, and Internet service providers. These attacks are becoming more sophisticated every day. Not only are attackers using brute force DDoS breaches, but they have also started to implement more adaptive methods to generate a second or third attack designed to circumvent the protections a company already has in place. Therefore, it is imperative for media companies and their hosting partners to consider additional levels of DDoS protection, such as the Corero SmartWall Appliance used by organizations like Digital First Media and the Journal Register Company, as well as other DDoS defense architectures from Radware, Arbor or Juniper Networks.

Worst Practice #3: Not making cybersecurity part of your corporate culture

Many media companies – and companies of all sizes in all industries – are beginning to implement security programs that guard against threats from hacktivists, cyber-terrorists, and other external sources. However, these same companies often fail to provide adequate protection against internal vulnerabilities – namely, employees, contractors, contributors, agency representatives, etc.

A 2015 Grant Thornton report on cybersecurity for digital media companies found that, “Most companies fail to instill cybersecurity into their corporate cultures, reinforcing the notion that information protection must be everyone’s responsibility. After all, data security at your company is only as strong as the weakest link in the chain.”

Common sources of internal breaches can include malware on an employee’s laptop; a hacker taking advantage of a weak password; or a watering hole attack, where a hacker places malicious software on a trusted website regularly visited by employees (e.g. a local restaurant site or municipal community page.)

Internal vulnerabilities can also result from less-than-strict coding practices, for instance, when a web developer installs a susceptible open source plug-in for a website project. Even the seemingly innocent task of leaving a desktop computer logged in and unattended can expose a company’s network to cyber-attacks.

“Everyone at a digital media company should be involved in the cybersecurity effort,” says the Grant Thornton report. “Cybersecurity responsibility should be clearly defined across the organization, with each department understanding its responsibility and having been trained accordingly.”

As cyber-attacks continue to grow in scale and become more frequent, news media companies need to take every measure possible to guard against – and mitigate the risks from – those who seek to silence their voices through online disruptions and denials of service. Cybersecurity is a war best fought through vigilance, training, technology, auditing, processes, controls, and governance. And, to be successful, it must become everyone’s responsibility.

To learn more about Newscycle’s breakthrough cloud hosting solution, which includes industry-leading cybersecurity controls, SOC1 and SOC2 auditing reports, annual KPMG auditing, and other features designed to protect your mission-critical media environment, please download our free whitepaper,

2017-03-27T14:42:50+00:00June 3rd, 2015|Blog: Cloud, Blog: Content|