World Association of Newspapers and News Publishers

Worst practices in cybersecurity: Three things every news media executive needs to know

World News Publishing Focus

World News Publishing Focus
Your Guide to the Changing Media Landscape

Worst practices in cybersecurity: Three things every news media executive needs to know

In April, cyber-terrorists attacked Al Ittihad, the website of the oldest newspaper in the United Arab Emirates. In February, the website of The Suburban, a weekly English-language newspaper in Montreal, was hacked.

A few days later, The Jewish Press, an independent website and weekly newspaper in New York, was also hacked. In September last year, Politica Estadao, a Brazilian political newspaper's website, was compromised with a vicious malware attack. And, for half a day in August 2013, The New York Times and The Washington Post websites were brought down again the Syrian Electronic Army, a group claiming to support the regime of Syrian President Bashar al-Assad.

The problem is global, it’s pervasive, and it’s affecting media companies large and small.

Yet in a RAM (Research and Analysis of Media) survey conducted at a 2015 gathering of news media professionals, cybersecurity was not mentioned once as an “absolutely critical priority” or even as a “very important issue” by any of the 285 executives surveyed.

Worst Practice 1: Underestimating the importance of cybersecurity for news media companies

According to a PricewaterhouseCoopers global study, the number of detected cyber-attacks rose 48 percent between 2013 and 2014, a figure that grew steadily in 2015, with more than 100,000 breaches taking place every day.

The problem is especially acute in industries such as ours. Earlier this year, a Joint Intelligence Bulletin of the FBI and the Department of Homeland Security warned, “The hackers who infiltrated Sony Pictures Entertainment’s computer servers have threatened to attack an American news media organisation… The threat against the unnamed news organisation by the Guardians of Peace may extend to other such organisations in the near future.”

Worst Practice 2: Assuming your firewall, ISP, data centre, or hosting provider will automatically protect you from cyber-attacks

News media companies are especially vulnerable to distributed denial of service (DDoS) attacks. A DDoS is an attack involving tens, hundreds or thousands of infected computers – called botnets – that concurrently overwhelm a company’s servers and stop legitimate users from accessing online applications.

A 2014 survey of global IT security risks conducted by international software research group Kaspersky Lab found that 42 percent of media companies around the world had experienced some form of DDoS attack in the previous 12 months. The same study found that only 38 percent of media companies surveyed were actively taking DDoS countermeasures.

Cyber-attackers are using DDoS to target corporate media enterprises, hosting providers, and Internet service providers. These attacks are becoming more sophisticated every day. Not only are attackers using brute-force DDoS breaches, but they have also started to implement more adaptive methods to generate a second or third attack designed to circumvent the protections a company already has in place. Thus it is imperative for media companies and their hosting partners to consider additional levels of DDoS protection, such as the Corero SmartWall Appliance used by organisations such as Digital First Media and the Journal Register Company, or DDoS defense architectures from Radware, Arbor or Juniper Networks.

Worst Practice 3: Not making cybersecurity part of your corporate culture

Many media companies – and companies of all sizes in all industries – are beginning to implement security programs that guard against threats from hacktivists, cyber-terrorists, and other external sources. However, these same companies often fail to provide adequate protection against internal vulnerabilities – namely, employees, contractors, contributors, agency representatives, etc.

A 2015 Grant Thornton report on cybersecurity for digital media companies found, “Most companies fail to instill cybersecurity into their corporate cultures, [fail to reinforce] the notion that information protection must be everyone’s responsibility. After all, data security at your company is only as strong as the weakest link in the chain.”

Common sources of internal breaches can include malware on an employee’s laptop; a hacker taking advantage of a weak password; or a watering hole attack, where a hacker places malicious software on a trusted website regularly visited by employees (e.g. a local restaurant site or municipal community page.)

Internal vulnerabilities can also result from less-than-strict coding practices, for instance, when a web developer installs a susceptible open source plug-in for a website project. Even the seemingly innocent task of leaving a desktop computer logged in and unattended can expose a company’s network to cyber-attacks.

“Everyone at a digital media company should be involved in the cybersecurity effort,” says the Grant Thornton report. “Cybersecurity responsibility should be clearly defined across the organisation, with each department understanding its responsibility and having been trained accordingly.”

Peter Marsh is Vice President, Marketing at Newscycle Solutions. He joined Newscycle in 2013 from Atex Inc., where he was Senior Vice President of Global Product Management. With more than 30 years’ experience in the media industry, Peter was previously the CEO of 5 Fifteen Inc. He was also the founder and CEO of Deadline Data Systems and Vice President of Web Development at EBSCO Publishing.


WAN-IFRA's picture



2015-05-28 16:03

Author information

© 2020 WAN-IFRA - World Association of News Publishers

Footer Navigation