Media companies are under strain due to the COVID-19 pandemic, and their crisis management plans for ensuring business continuity and disaster recovery are undergoing a major, real-world test. One certainty in this uncertain time is that the crisis will highlight clearly where and how these firms need to strengthen their crisis management plans to improve business resiliency. As they do so, they may also want to improve another aspect of crisis management: cybersecurity incident response.
Many media company executives around the globe had categorized cyber threats as a top concern for their organizations in 2020 — before the COVID-19 outbreak disrupted their business and the world. These executives had ranked cyber threats 10th among their companies’ top 10 risks in our 2020 risk survey. And for years, many have placed this risk among their most significant top operational risks.
While the COVID-19 outbreak commands attention right now, media companies will want to be careful not to let their guard down when it comes to cybersecurity, especially when so many of their employees are working remotely. Before the outbreak, media businesses, just like tech and telecommunications companies, were prime targets for cyberattacks because of their rich customer profiles, payment information and highly visible brands. No doubt, they will continue to be targets during the pandemic — perhaps even more so — as hackers assume, correctly, that many companies are overwhelmed responding to the crisis, and attention is divided.
Media companies can also look to the recent past if they need further motivation to step up their cybersecurity efforts. There are plenty of examples in the industry of how lax cybersecurity practices left businesses, and their customers, vulnerable to disruptive and costly cyberattacks. Here are just three:
Example 1: A Media and Technology Company
This global company suffered a breach that exposed the data of hundreds of thousands of users of its social network. The breach was due to privilege misuse that likely stemmed from the company making user data available to outside developers through application programming interfaces (APIs). Malicious actors posing as app developers used the APIs to gain access to users’ sensitive personal data. It took years for the company to detect this breach. And its initial response to the event was lacking: It initially withheld information due to fears of regulatory scrutiny and reputational damage.
Example 2: A Broadcasting Company
This large radio broadcaster was targeted with two ransomware attacks in 2019. The first incident, which disrupted the company’s phone and email communication as well as several internal systems, resulted in about $400,000 in lost revenue. The second attack was reportedly less severe. Following the initial attack, investigators discovered that an unauthorized actor had accessed the protected personal information of an undisclosed number of users of the company’s internet radio platform. The information, which included customers’ names, usernames and passwords, was contained in database backup files stored in third-party cloud hosting services.
Example 3: A Game Publishing Company and Portal
In 2019, hackers compromised data from 11 million users of a game portal website. According to the game publishing company, a private security group first detected the breach, which triggered an immediate audit of the company’s hosting provider, web servers and database systems. After the breach was confirmed, the company announced that customer data such as login data and birth dates tied to administrative accounts were compromised. The company had failed to protect its infrastructure, making its system vulnerable to attacks from malicious third parties. This incident, and the costly investigation that followed, caused the company reputational damage.
A Four-Step Action Plan for Improving Cybersecurity Now and for the Future
Before the pandemic, some media companies were looking to invest more in cybersecurity, although not necessarily because they recognized themselves as a likely target. Some firms were more concerned about cybersecurity risk disclosures because they were preparing for an initial public offering or merger and acquisition deal, for example. And others were elevating their cybersecurity practices as part of their efforts to step up environmental, social and governance (ESG) reporting.
Whatever the motivation for change, improving cybersecurity is a smart strategy for media companies that have not focused enough attention on the issue in the past. Following is a four-step approach for helping these businesses to develop a sound plan for reducing their cyber risk exposures and responding to incidents more effectively:
- Step 1: Document the current situation. Identify security gaps using a formal, defined framework such as NIST or ISO 27001, and review the company’s existing cybersecurity policies and standards.
- Step 2: Define a desired future state. Among other things, assess the people, process and technology needs for addressing known cybersecurity gaps and risks.
- Step 3: Create a cybersecurity road map. Develop a strategy for addressing cyber risks. Define resources and budgets for initiatives and plan and prioritize activities.
- Step 4: Monitor and report results. Develop an ongoing information risk assessment process to address the evolving cyber risk landscape and create key performance indicators for reporting to the IT steering committee and the board.
It is unknown when business will return to normal — and, even then, what the new normal will be. But any plans that media companies were pursuing before the COVID-19 outbreak to strengthen their cybersecurity should not fall by the wayside because those plans are needed now more than ever.
As for media companies that have yet to prioritize cybersecurity, now is an ideal time to get started as the business re-evaluates its overall approach to crisis management and makes improvements for the future. And to help ensure momentum during this challenging time, media companies may want to consider enlisting help from a third-party resource, such as a managed services provider, which can help them to develop and implement a cybersecurity program.
Learn more about Protiviti’s cybersecurity services for technology, media and telecom (TMT) companies.