Don’t Learn About Cybersecurity The Hard Way

NEW ORLEANS — There’s no better way to test a media company’s cybersecurity readiness than an actual attack, and for Tribune Publishing, that came on Dec. 28. 2018.

Hackers targeted the company’s production systems and some of its file shares. Fortunately, Tribune became aware of the attack almost immediately, but being a high-profile media company, within 24 hours its major media peers were already reporting on it and the spotlight was on as it responded in real time.

Tribune scrambled internally to manage business continuity while containing the threat and navigating the fast-moving terrain of counsel, insurance, regulatory compliance, data backup and restoration strategies.

Greg Page, VP of corporate compliance for Tribune, recounted the attack in a session on new trends and risks in cybersecurity at the Media Financial Management annual conference here on Tuesday.

“This was a shot across the bow,” Page says.

That shot yielded numerous lessons for Tribune that could apply to any other media company in an era when “cyber criminals are quicker, better and faster at getting in” to internal systems, according to Wayne Weaver, director of KPMG Cyber. He warns that it can sometimes take months until such attacks are even detected and months further still until they can be pushed out.

Weaver says cybercriminals are motivated by the multibillion-dollar business that their enterprises have become. And they need to be good at finding only one vulnerability, while media companies need to be constantly vigilant and secure across their entire enterprise.

For Tribune, the late 2018 attack compelled a response of multiple meetings a day for weeks, the complex securing of operations, continuous communications with key stakeholders and coordination with insurance providers, all of which has given the company a hard-won authority on cybersecurity.

Page described a complex triage of responses to the attack, beginning with questions of how to stop the threat’s spread while still managing to get Tribune’s products out to its customers. The company had to pause its business in certain areas to ensure it didn’t make the attack any worse while evaluating existing data backup and restoration strategies. All the while, “we had to make sure that communication was clear and concise” with in-house counsel, corporate communications and third parties including auditors.

On the insurance front, Page says the attack was eye opening. “As we went through this process, it was really important to know what your coverage is,” he says. That extended to what kind of options the company had, as well as who they were compelled to use in terms of professional services in the recovery.

Tribune learned that last lesson the hard way. It initially brought on one vendor that had to be replaced when it turned out not to be on the insurer’s list of approved providers and the process needed to be handed off.

Page says the whole process illuminated how important it is to know what’s covered and what isn’t, how to keep track of costs and have a methodology to keep track of lost revenue.

“This was not nearly as bad as it could have been,” he says, and that’s largely down to an increased level of planning and training across the media industry. Weaver says that’s starting at the board level of many companies, where there’s a higher awareness now and an increasing demand for quarterly updates on the cybersecurity front.

Weaver says executives are bringing cybersecurity into their strategy sessions. At the more forward-looking companies, CIOs and CISOs are more knowledgeable about when to take action and what actions to take, and they’re more likely to be empowered to do so.

Three to five years ago, boards had more of a defensive and reactive stance on cybersecurity, he notes, but they’ve shifted to a more proactive posture. They’re now asking executives “Are we resilient enough within our tolerance ranges?” Weaver says.

Boards also increasingly want to see cybersecurity put into a business context, and they want to know its ROI, Weaver adds.

That heightened awareness comes as media companies are also migrating more of their functions into the cloud and using technology like artificial intelligence to automate parts of workflow, all of which leaves them more susceptible to risk. “You have to start thinking about security in design as you roll out these innovations,” Weaver says.

With AI, for instance, who’s training it? And what does it have access to?

On the positive side, improvements in technology are also beefing up cyersecurity’s response side. For instance, there are better analytics around privileged users in a company’s operations, and they’re better able to identify normal activities versus anomalies to pinpoint potential insider threats.

There’s also a greater focus on risks from third-party providers, including a shift to greater formality around security in those contracts.

Multifactor authentication moving beyond simple passwords is helping on the proactive front. And so is training and education, which might be the most important facet of all to cybersecurity.

Page says Tribune has ramped up its own internal training, making it more methodical, enhanced and required. “Part of it is creating more of an aware culture,” he says.

Gone are the days of simply playing an instructional video on the subject for employees. Training now tends to be more hands on with live instructors, putting employees through more demonstrative scenarios of what threats like phishing actually look like.

Weaver says more proactive companies are focusing on testing and monitoring with greater accountability for repeat offenders who fall prey to phishing and spoofing schemes.

“The phishing campaigns have moved beyond basics,” he says. “They’re starting to move toward more advanced techniques.”

Page, who can now count himself among the veterans of a cyber attack, knows the truth of it. “These things get sophisticated.”