Cybersecurity Returns To The Forefront: Five Rules Media Companies Need To Follow Now

Joe Annotti

Ransomware attacks, cyber threats, data breaches, and hacks have been a component of every media company’s budget for decades now. What was once an occasional blip on the radar of this industry is now a must-have for any business plan. While the media industry is “fortunate” not to be among the top 10 ransomware targets by industry (according to cybersecurity firm Sophos), media companies have increasingly suffered attacks that have taken TV stations offline, exposed sensitive data, and more — serving as an awful reminder of our industry’s vulnerability.

Brendan Hall, senior vice president at Stroz Friedberg, a company that provides digital forensic solutions, lent his considerable expertise to an article titled “The Cyberattack Dilemma,” appearing in the current issue of TFM, the magazine for members of the Media Financial Management Association. In it, he provides an overview of the current cybersecurity situation and lays out several steps that thismedia companies should be taking now to reduce cyberattack risks.

First, the “good” news: During the start of the war in Ukraine – which has otherwise been a black mark on the history of the world – one very small bright spot is that it temporarily disrupted some of the largest, Russian-based groups of threat actors, with a 27% drop in ransomware attacks and a 10% dip in privacy breaches. In addition, the U.S. federal government partnered with Europol and other global partners, focusing on Russian ransomware groups in late in 2021, contributing to their disruption.

That’s not to say cyberattacks are down overall:  As of the end of this year’s first quarter, they were still up an astounding 223% over first quarter 2019.

I checked into the second quarter statistics and it’s not looking good. According to antivirus software maker Avast’s new “Q2/20222 Threat Report,” after months of decline, global ransomware attacks increased significantly, up 24% from the first quarter of this year. The report states that while the Ukraine war led to disagreements within the powerful Conti ransomware group, halting their operations, since then, Conti members have branched off to form new ransomware groups.

Hall takes a look at cyber insurance as another indicator of the temporary cyberattack slowdown. The cyber insurance market is currently in a corrective state after taking a beating the past couple of years, which, he argues, “is a good thing for everyone.” While cyber underwriters have traditionally had a voracious appetite for policy writing, they have also “corrected,” now requiring clients to implement a series of controls before insurers will consider quoting a policy.

Coverage for cyberattacks is now an integral component of almost every corporation’s overall insurance plan — as important as your policies for property, liability, health and workers compensation. But as cyber underwriters are demonstrating, coverage for this volatile and evolving exposure involves more than purchasing a policy that transfers the risk to an insurer. Successfully mitigating the damages that cyberattacks can cause requires that media company executive develop an effective and comprehensive risk management plan that reduces the chances of a cyberattack, and also provides a financial safety net for the damage an attack could cause.

In addition to the uneasiness over the swift return of ransomware groups, something Hall is especially concerned about is novel “wiper malware” being released by suspected Russian advanced persistent threat groups. They began unleashing this highly destructive malware into the wild during Russia’s invasion of Ukraine, and if it’s akin to an earlier malware called NotPetya, this type is particularly destructive and widespread, and once released, can be used by any cybercriminal.

But smart companies can protect themselves. Hall lays out five practical steps media companies can, and should, take to bolster their cyber resilience:

1. Train your people. Your cybersecurity is only as good as your employees, and your employees are also human. If one of your staff isn’t paying attention, and clicks on a phishing email, they may instantly open the door for threat actors to wreak havoc. Conduct regular phishing tests and implement threat intelligence updates. In addition, create a culture of cybersecurity via messaging from executive leadership to the entire company to enlist them in identifying and protecting the business from cyber threats.
2. Quantify your risk and review your insurance policies quarterly. Companies too often use a “back-of-the-napkin” approach to buying cyber insurance. A risk quantification that uses an actuarial, data-driven approach will reveal maximum probable risk. Using standards like severity and likelihood, you can make more educated decisions about how much insurance your need versus how much risk you want to self-insure.

These exercises also focus on the most likely attack paths that may be used against your business given certain variables such as industry vertical and revenue, enabling companies to double down on likely attack paths.

Given the events in Eastern Europe and their consequences to global enterprise, it’s also critical to frequently review your policy with your broker to see how it may or may not respond to certain scenarios.

3. Govern your information carefully. Simply reducing the amount of information you’re holding that could potentially be encrypted and/or exfiltrated by a threat actor in an attempt to extort a hefty ransom could reduce your cyber risk significantly. Many companies retain huge “data lakes” of dark data that have no real business use or value, but which create a massive liability. Work closely with outside counsel on developing a defensible deletion policy to reduce your risk by deleting that dark data.
4. Remember that failing to plan is planning to fail. While having a cyber insurance policy is critical, it’s also imperative to create a well-documented incident response plan, and update it on a quarterly basis — and include predetermined vendors for incident response and outside counsel. You should conduct a tabletop exercise at least annually that includes both executive and technical resources so that roles, responsibilities, and tasks around incident response are clear.
5. Listen to the underwriters. Now that the cyber-insurance underwriting community has developed a robust set of cybersecurity controls, be sure to following their guidance to implement them. Doing so is both good practice and will also help you retain your insurance with as little additional expense during your renewal as possible.

The top recommendations from underwriters include multifactor authentication (MFA); endpoint detection and response; incident-response planning; phishing/cyber-awareness training; limited active directory service accounts; and disaster recovery backups (which should be segmented and have MFA), email filtering and patch-management policies).

This list represents a lot of work for media companies, but it’s a task for which it seems we have no choice. The alternative is to take risks with less-than-aware employees, underinsure the business, and otherwise position your company as a sitting duck for cybercriminals. I recommend you read Hall’s feature in full, and take his solid advice. The stakes may never be higher.

Joe Annotti is president and CEO of the Media Financial Management Association and its BCCA subsidiary, the media industry’s credit association. He can be reached at [email protected] and via the association’s LinkedIn, Facebook, Instagram and Twitter accounts.