Experts spell out three actions to assess a station's cyber security risks and offer eight recommendations for performing basic risk management and "cyber security hygiene."
The Importance Of Cyber Security To Stations
Communications law firm Lerman Senter recently sent a reminder about reporting requirements following September’s nationwide test of the Emergency Alert System (EAS). Reading it in light of recent news about email and other hacks got me thinking about the importance of stations’ cyber security measures.
Unfortunately, the 2013 Zombie Apocalypse EAS hacks are not the end of that story. Just hours after the Sept. 28 national test, a Utica, N.Y., station’s EAS system interrupted the station’s evening newscast to send the following message: “Civil authorities have issued a Hazardous Materials Warning for The United States. Effective until September 29, 02:16 AM EDT. Would you. Could you. On a Train? Wait for further instructions.”
While the warning’s closing reference to a line from Dr. Seuss’s “Green Eggs and Ham” may have helped to suggest it was a hoax, it was transmitted the night before a fatal train collision in Hoboken, N.J., located about an hour away, which prompted some viewers to wonder about a connection. The station responded immediately by saying there was “no such warning” and that it was working with the New York Broadcasters Association and FEMA to determine how it occurred.
The FCC also sees a very strong link between the country’s EAS and cyber security. As TVNewsCheck’s “Broadcaster’s Guide to Washington Issues” points out, the agency’s proposed rulemaking on enhancing the country’s EAS contains several measures intended to enhance EAS security.
Developing EAS Security Best Practices
The FCC’s actions, which have included fines for security breaches, are also noted in an article on cyber security that appears in the September-October issue of MFM’s The Financial Manager magazine. The article’s co-authors, Michael Prior and David Leigh write, “Over the past two years, the FCC has issued millions of dollars in fines for companies that it claims failed to take reasonable measure to protect their customers’ information.”
However, the FCC’s role isn’t limited to rulemaking and enforcement. Pryor, special counsel in the communications practice at Cooley LLP, and Leigh, president and co-founder at Rofori Corp./ Defcon Cyber, go on to detail how the agency can also be counted among the resources available to help TV stations and other EAS participants develop a risk-management plan.
The agency’s efforts have included directing a group of communications experts to review the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which identifies and describes best practices to manage cyber risk, and adapt it to various communications sectors, including broadcasting. “The resulting report prioritizes risk management steps. The FCC expects companies to review these practices and begin the process of incorporating them into their overall procedures.”
The NIST Cybersecurity Framework
Pryor and Leigh go on to describe the recommendations contained in the “Cyber security Risk Management and Best Practices” report, observing that one of its most useful sections identifies key barriers to implementing sound cyber security risk-management programs and assesses the financial, legal, technical, and operational roadblocks that companies may face.
Using guidance provided by the report, the experts recommend taking the following three actions as part of assessing a station’s cyber security risks:
1. Identify critical processes and data assets — Identify the breaches that could put the company out of business or do irreparable harm to its reputation. In addition to EAS, they recommend developing an inventory of assets that can be breached, “everything from desktop computers and laptops to internet connection points.”
2. Pinpoint the most probable threats — This inventory should be very specific to the threats that have the greatest impact if a breach were successful. This requires understanding the value bad actors would place on a company’s assets, which may differ in significant ways from the value the company places on them. Don’t overlook company vendors or a company to which the company is a vendor, since “many of the most publicized attacks have come through a link between the target and a subcontractor.”
3. Define your risk-mitigation strategy — The next step involves determining which best practices will mitigate each risk identified in the two previous steps. This can be accomplished by asking, “What are we willing to do — and what do we need to do — in order to protect critical assets from the threat?”
While cyber insurance has become a common way to address economic risk, the authors warn, “Insurance can help transfer economic risk, but no policy can replace a media company’s responsibility to its community to remain functional in times of crisis, nor can it prevent false alarms.”
Basic Cybersecurity Hygiene
The authors recommend following a minimum set of activities that they refer to as basic cyber security hygiene. “Taken together, they form a foundation for any cyber security program. It is estimated that effectively implementing these steps results in protection from 80% of cyber attacks.” The practices they outline include recommendations developed by the FCC:
- Manage the inventory of data, software and hardware.
- Limit user and device access to sensitive information (the principle of least privilege).
- Change default passwords, use password complexity and remove or disable unnecessary and expired accounts. While this is important in general, it is crucial for EAS participants.
- Manage vulnerabilities by updating systems with the latest firmware and software patches — especially if you use EAS devices.
- Detect and remove malware.
- Ensure EAS devices are not directly accessible through the internet. In other words, configure a firewall to deny access from the public internet. Properly secure and log remote access.
- EAS participants should report the issuance or retransmission of a false alert within 30 minutes.
- Those with EAS must also process and validate digital signatures (an encryption mechanism to ensure that the EAS alert has been sent by an authorized entity). And they should discard unauthenticated alerts.
‘Hit the Ground Running’
Echoing advice from the cyber security experts I have mentioned in earlier columns, the authors stress the importance of delegation, communication, training, security audits, and vigilance as keys to implementing an effective plan. As they aptly observe, “cyber security risk management never ends. That may seem like a daunting statement, but it needs to be faced head on. Doing nothing is not an option.”
It seems a month doesn’t go by without reading about a company that has become the victim of a cyber attack, with Yahoo’s admission about a two-year-old attack representing the most recent occurrence. The frequency of these attacks, which have affected companies large and small, helps us to recognize, as the experts have, that “cybersecurity breaches cannot be prevented; they can only be managed.”
For this reason, the members of MFM, who represent the industry’s financial management executives, have made cybersecurity measures one of their top educational priorities for the coming year. I encourage you to monitor our website for news about upcoming programs that can benefit your cyber security strategies and to share the cybercrime concerns that you would like us to address.
According to the most recent IBM/Ponemon study, the average cost of a security breach exceeds $7 million, with lost business representing the largest expense. Adding that financial impact to the likelihood of FCC fines and you have plenty of reasons to proactively respond to the FCC’s request for adopting cyber security best practices.
Mary M. Collins is president and CEO of the Media Financial Management Association and itsBCCA subsidiary, the media industry’s credit association. She can be reached at[email protected] and via the association’s LinkedIn, Twitter or Facebook sites.