This article originally appeared in Security Intelligence on September 11, 2018.
While many industries have matured their cybersecurity strategy and policy as the digital landscape has evolved, others — such as media companies — remain unsure how to advance.
With more consumers relying on the internet for their entertainment and information consumption, media enterprises are tasked with providing a flawless user experience and continuous content delivery. But the industry is prey to a growing number of predators. As a result, a recent Akamai study titled “The State of Media Security” found that only 1 percent of media companies are “very confident” with their cybersecurity efforts.
Collaborate with direct and indirect third parties. Websites have an average of 140 third parties who execute anywhere from 50 to 95 percent of their code. Most website owners only know, at most, half of the third parties with whom they do business.
What Challenges Do Media Companies Face?
The threat of a distributed denial-of-service (DDoS) attack, which could slow services or result in downtime, is only one of the many security challenges media companies face. Also of concern is the potential for malicious actors to steal content or breach systems and access customer networks.
“It’s not surprising that media companies aren’t confident about their security levels,” said Elad Shapira, head of research at Panorays. “They are an ongoing target, whether by political activists or nation states … Then there are those hackers just trying to leverage their skills to make money from the content they steal.”
SQL injections, Domain Name System (DNS) attacks, content pirating and DDoS attacks are among the greatest threats to the media industry. The dynamic nature of the digital ecosystem, where digital partners can change by the day, enables bad actors to optimize the reach of their malicious campaigns.
“Media organizations in particular should be afraid of their heavily trafficked digital assets, which not only serve as touch points to prospects and customers, but also provide entry points to bad actors,” said Chris Olson, CEO of The Media Trust. “These miscreants often target third-party code providers and digital advertising partners, who tend to have weaker security measures in place.”
In the past, security discussions at media companies focused largely on piracy, said Shane Keats, director of global industry strategy, media and entertainment at Akamai. It’s now incumbent upon media companies to recognize that security has extended far beyond digital rights management.
Why Do Cybercriminals Target Media Companies?
Cybercriminals rarely discriminate when it comes to their targets — which means that in the eyes of a criminal, media companies look an awful lot like retailers and banks.
“With the rise of subscription-based monetization, media companies are now increasingly capturing personally identifiable information (PII) and payment card information (PCI) that [looks] no different from the PII and PCI captured by an e-commerce company,” said Keats. “Successfully stealing a streaming video on demand (SVOD) customer database with a million customer records yields the same ROI as one stolen from an online retailer.”
Whether protecting against credentials-stuffing from malicious bots or careless contractors in the vendor landscape, media companies need to practice good security hygiene and be wary of the security practices of partners who have access to their customers’ networks. As has been the case in so many major breaches, all an attacker has to do is compromise one of those partners to gain access to the firewall and steal content, customer data and executive communications.
How Can Medial Companies Improve Cybersecurity Strategy and Policy?
In addition to acquiring a reputable cloud security firm to help investigate the attack surfaces exposing their businesses, media companies also need to ensure that they have solutions to protect each of those points.
“Find a firm that has enough scale to be able to see a ton of threats, both traditional and emerging, and ask the firm to help you understand how to best secure your apps and architecture beyond buzzwords,” Keats advised. “When you do this information session, get your different stakeholders in the room so that you can look at your security posture as a team. This is not the time for turf wars.”
By taking the following steps, media companies can enhance their security strategy and feel more confident that they are protected against current and emerging threats:
Discover and prioritize impacts of assets. Not all assets are created equal. An online release of a video prior to its debut screening may create reputational and financial damage to a company, but the credit card details of subscribers are under regulatory control. Each company needs to consider its assets and how they impact the business.
Collaborate with direct and indirect third parties. Websites have an average of 140 third parties who execute anywhere from 50 to 95 percent of their code. Most website owners only know, at most, half of the third parties with whom they do business.
Vet third parties. Media companies should ask their third and downstream parties the hard questions about security and follow up with frequent audits of security measures. Companies should enforce their digital policies through service-level agreements (SLAs) and contract clauses.
Place safety measures around these assets. Safety measures should span various levels, including networks and IT to prevent a DDoS attack, as well as on applications to avoid account breaches. Consider the human element to prevent disgruntled employees from exposing sensitive and proprietary data. Media companies should continuously scan assets in real time to identify and terminate any threats.
Create an incident response plan. This is not just a technological approach, but a step that must involve various teams and processes. In case of an attack against the company, there should be an advanced, detailed and well-rehearsed plan to respond.
A data breach poses a significant financial and reputational risk to media companies. To avoid becoming the next headline, businesses need to thoroughly understand not only their own risks, but also the risks that their suppliers pose.
Once media companies understand those risks, they can take measures to continuously protect against emerging threats. Collaboration throughout the organization, as well as with extended partners, will help to enforce strong digital policies and remediate unauthorized activities within the digital ecosystem.