Don’t Wait: Get Prepared For A Cyberattack

A few years ago, MFM was hit by a crypto virus. I’m embarrassed to admit that it came in through my computer — the source was a flash drive containing a speaker’s presentation. The good news is that we use a third-party IT company that continuously monitors our network and we have nightly cloud backups. MFM was back up and running within a few hours; our data loss was minimal.

While all businesses must be vigilant, media companies seem to be in the crosshairs for cyberattacks lately. In the past few months alone, attackers have hacked into several broadcasters’ audio streaming devices to transmit what the FCC described as “potentially offensive or indecent material to the public.” In addition, Yahoo was hit with an SEC investigation focused on whether it should have notified investors sooner about its two major data breaches.

Piling onto these high profile incidents are warnings about W2 phishing attacks targeting employee data and a dramatic rise in the number of ransomeware attacks on American businesses. Experian is also cautioning about the potential of an increase in “aftershock” breaches — unauthorized logins that result from subsequent sales of customer data on the dark web.

These attacks have bottom-line impact. A study by the Ponemon Institute and IBM, found that U.S. organizations continue to have the highest average cost of cyber crime ($17.36 million). On the “good news” side, the study notes that companies with a “high security profile” were able to reduce the cost of cybercrime globally to an average of $7.9 million as compared to $11.1 million for companies reporting low security profiles. Even if a company cannot guarantee it won’t be hacked, it can minimize the impact of a cyberattack by with advance preparation.

So what can media companies do to minimize the costs of a cyberattack, which include damage to the organization’s reputation? Bob Scalise and Renana Friedlich, senior managers focused on cybersecurity and incident response issues at Ernst & Young, say the path to creating a high security profile begins with setting up an incident response (IR) team and developing a plan for the organization’s response to those incidents.

When cyber disaster strikes, the team begins its work by identifying and verifying all the relevant information about the attack from available sources, such as computer and network logs. That information will allow the IR team leader or chief information security officer to determine if they are truly dealing with a security incident.

In that case, the team must address severity; “notify the relevant groups inside and outside the organization,” and follow predetermined appropriate response procedures. The IR team will also try to identify the root cause of the incident and undertake the necessary measures to mitigate similar events in the future.

Scalise and Friedlich recently wrote an article for MFM’s The Financial Manager magazine. In it they recommend taking the following steps to help detect and contain attacks sooner:

Improve Monitoring Tools — Attacks are more likely to be detected earlier through heuristic monitoring tools. Although they do not replace traditional anti-malware and firewall technologies, such tools do provide better visibility into different events occurring in the environment.

Assess Possible Threats — Even if there is no indication that hackers have threatened the organization, consider performing a cyber-threat assessment to determine whether any adversaries accessed the network without raising warning flags.

Leverage Intelligence — Organizations can use threat intelligence services to help detect new incidents as they arise and to enhance monitoring capabilities. Threat intelligence involves gathering insights by analyzing the contextual and situational risks of your “specific threat landscape, industry and market.” These insights can help the business stay ahead of the threats, to mitigate the risk, and maintain operations.

Spread the Knowledge — Conduct training exercises and educate employees so they have an awareness of security threats. Information about common attacker tactics can be disseminated in newsletters and discussions with employees.

In addition, the organization should thoroughly train all parties involved in the IR process. These exercises can be discussion-based, such as a tabletop exercise, or more hands-on, such as war games. Trainees should include the IR team as well as members of business units that will be involved during the response. Scalise and Friedlich say: “Taking this approach will educate business teams that are not directly involved in daily security tasks and will enable the entire organization to experience a mock incident without real-world impact.”

Revise the Plan — Similar to other forms of disaster recovery and business continuity planning, IR plans need to be updated frequently to ensure the organization is as prepared as possible for the likeliest forms of cyberattack. Updates may include incorporating lessons from previous incidents; altering procedures to address identified gaps, and adding the latest information about internal and external parties. “A well-updated plan can be utilized as needed with no additional delays, resulting in a more efficient and effective response.”

Secure Outside Resources in Advance — Finally, the IR team should determine if the company will need support from outside resources and engage any professionals who will need to be part of its surge response team. Examples include legal and crisis communications counsel, cyberterrorism experts and liability insurance professionals. As the EY experts point out in their article, a good IR team “will have already put an outside service company on retainer, so that it’s ready to step in immediately when a hacking incident occurs,”

Scalise and Friedlich close their “Dear Expert” piece with the reminder that while even the best cybersecurity efforts may not stop all social engineering attacks, a solid IR plan will improve an organization’s readiness to handle an incident and reduce the costs associated with it. If you would like to read their article, the January/February edition of TFM magazine will be available on the MFM website for another few weeks. After that, it will move into our “TFM archives” section, where it will remain available to members of MFM and our BCCA subsidiary, the media industry’s credit association.

Protecting media companies against possible cyberattacks is also one of the topics to be covered during Media Finance Focus 2017, which will be held in Orlando, Fla., May 22-24. We are delighted to have experts from Chubb — the only property and casualty including professional and management liability insurer to receive MFM’s highest form of recommendation, our endorsement — and their affiliates participate in a session on this very topic.

As has been said before, the attacker only has to get it right once, but company defenses have to hold 100% of the time. Given all of the forecasts assessing a high probability for both cybercrime and cyberterrorism attacks against media businesses, the experts’ advice bears repeating. Equipping your organization with the best possible Incident Response plan is the only way to limit the attackers’ chances for success as well as ensuring the least amount of financial and reputational damage if one should succeed.

Mary M. Collins is president and CEO of the Media Financial Management Association and itsBCCA subsidiary, the media industry’s credit association. She can be reached at[email protected] and via the association’s LinkedIn, Twitter, or Facebook sites.