The risk of cyber crime affects organizations large and small. No business is immune to the expense and downtime that can be a result of a cyber virus or, as we have seen in the high-profile cases, the piracy of information about employees and customers. Here are eight top cyber security issues that should concern all of us.
“As cyber security incidents multiply in frequency and cost, the cyber security programs of U.S. organizations do not rival the persistence and technological prowess of their cyber adversaries.”
This observation, the opening statement of PwC’s 2014 US State of Cybercrime Survey, may be an understatement. The conclusions in the June 2014 report continue to be validated by increasingly frequent and severe cyber attacks, including the hacks into databases maintained by Sony Entertainment last December and Anthem Insurance earlier this year
The risk of cyber crime affects organizations large and small. No business is immune to the expense and downtime that can be a result of a cyber virus or, as we have seen in the high-profile cases, the piracy of information about employees and customers.
Even we at MFM were recently hit by a potential ransomware attack; I credit the quick thinking of local staff along with the team at our third-party network management company for successfully resolving what could have been a difficult and expensive situation.
The risk of attacks against media organizations can be even more visible and, as we witnessed with the incident involving Sony Entertainment, cause significant damage to the company’s reputation. At the station level, cyber attacks have included the 2013 hacks into the EAS systems at several broadcast TV outlets and a ransomware attack last fall that took several Australian TV outlets off the air.
In addressing the likelihood for an increase in cyber attacks on U.S. organizations, the PwC report indicated more than three in four of its 2014 survey participants said they had detected a security event in the past 12 months, and more than a third (34%) reported an increase in the number of security incidents they had detected over the previous year.
As a result, nearly 60% of respondents said that they were more concerned about cyber security threats than they were in the prior year and 69% were worried about the impact of cyber threats to their organizations’ growth prospects.
With respect to the financial impact of cyber crime, PwC’s 2014 survey found that 7% of U.S. organizations had lost $1 million or more due to cyber crime incidents, compared with 3% of global organizations. Nineteen percent of U.S. entities reported financial losses of $50,000 to $1 million, compared with 8% of worldwide respondents. The organizations surveyed by PwC also cited their concerns over the growing risk of legal liability, which could result in the escalation of costly lawsuits.
The Top Eight Cyber Security Issues
PwC’s 2014 study goes on to identify eight top cyber security issues that should concern all of us:
- Spending with a misaligned strategy. — The study found that only 38% of respondents prioritized their security investments based on risk and impact to business and just 17% said they had classified the business value of their data.
- Business partners fly under the security radar. — Fewer than half (44%) of companies PwC studied had a process for evaluating third parties before launching business operations and less than a third (31%) of included security provisions in their vendor contracts.
- Missing a link in the supply chain. — The study found only 27% of respondents were conducting incident-response planning with their supply chain partners and just 8% have supply chain risk-management capability.
- Slow moves in mobile security. — Despite the proliferation of mobile technologies and their inherent risks, less than one-third (31%) of companies have a mobile security strategy, only 38% are encrypting devices, and a similar percentage 36% maintain a mobile device management program.
- Failing to assess for threats. — Fewer than half (47%) of companies are performing periodic risk assessments and less than one-quarter (24%) are using an objective third party to assess their security programs.
- Failure to collaborate. — The study determined that only 25% of organizations were participating in Information Sharing and Analysis Centers (ISACs) and just 15% reported working with public law enforcement agencies.
- Suspicious employee behavior. — Fewer than half of those surveyed (49%) had a formal plan for responding to insider events and three-in-four still handle insider incidents internally, without involving legal action or law enforcement.
- Untrained employees. — Although 76% of organizations surveyed believe they will spend less on security events when their employees are trained, only 20% say they are training their on-site first responders to handle potential evidence and 54% are not providing security training for new hires.
The Internet Of Things And Greater Risk
The growing use of cloud-based solutions by TV stations and other media businesses makes the industry even more vulnerable to a number of these eight risks cited in the PwC report. As we learned from EAS attack, routine measures such as immediately changing factory default passwords and ensuring devices are behind routers with good built-in firewalls could have prevented what fortunately turned out be more of an embarrassment than anything else.
As Broadcast Law Blog’s David Oxenford observed at the time: “It is important to recognize that the system itself did not cause the issues here, just the connection to the Internet. This just reminds broadcasters that any of their systems connected to the Internet need to be secured to make sure that these kinds of issues do not arise in the future.”
Growing Demand For Cyber Insurance
With the cost of a high-profile breach running into tens or hundreds of millions of dollars due to lost business, disrupted services, and compensating identity theft victims, many companies are expanding their liability insurance policies to include coverage against cyber-attacks. According to a survey of nearly 19,000 security and risk management professionals conducted by the Ponemon Institute, 31% say their company has a cyber security insurance policy and another 39% say they are planning to purchase one.
One of the country’s leading providers of cyber insurance is the Chubb Group of Insurance Companies, which provides professional and management liability insurance for many of our members. MFM has given its highest form of recommendation — our endorsement — to Chubb as our preferred provider of property and casualty insurance for TV stations and other media businesses.
Cyber Security Advice From The Pros
With more than 20 years’ of experience in working with television stations, Chubb has a solid, first-hand understanding of liability issues that can affect local broadcasters. This puts them in a great position to take what they have learned about the best practices for ensuing cyber-security and applying it to the risks that can be experienced by TV stations and other media operations.
We will be providing an opportunity for the industry to benefit from those insights at our upcoming annual conference, Media Finance Focus 2015, which will be held in Phoenix, May 18-20.
In addition to addressing the topic during a number of discussion panels with attendees, Chubb will be sponsoring our Tuesday morning general session, which includes a keynote address on the topic from James Aquilina, executive managing director of Stroz Friedberg, one of the world’s top digital forensics, cyber-crime and security science firms.
We selected “Blazing a New Frontier” as the theme for Media Finance Focus 2015, the 55th annual conference for MFM and its BCCA subsidiary, the media industry’s credit association. It applies not only to this year’s venue, which was the last of the 48 contiguous states to enter the union, in 1912, but also serves as reminder that our industry is blazing a new frontier in many ways.
This new frontier includes our growing reliance on cloud-based solutions to conduct our businesses more efficiently and meet viewer demand for TV Everywhere access to video programming. As the PwC report and the examples of cyber attacks on media businesses point out too clearly, we also will need to become more cyber-secure if we want to safely (and cost-effectively) blaze that new trail.
Mary M. Collins is president and CEO of the Media Financial Management Association and its BCCA subsidiary. She can be reached at [email protected]. Her column appears in TVNewsCheck every other week. You can read her earlier columns here.