For digital media companies, effective cybersecurity programs a must May 07, 2015 Share Download Subscribe RFP For digital media companies, the trust of their consumers and users is often at the very heart of their business models. Indeed, the value proposition of photo-sharing sites, social media platforms, and health and fitness sites (particularly those associated with the ever-increasing number of wearable monitoring devices), among others, are entirely predicated upon user-provided content. But consumers’ willingness to provide that content inevitably involves an element of trust. With so much riding on that trust, data breaches and the theft of user information can do crippling damage to a company’s reputation. Despite this, few companies, large or small, devote adequate resources to effectively mitigate this risk until the inevitable happens — a breach event.1 Smaller companies and businesses just getting off the ground might be inclined to overlook engaging in thorough cybersecurity efforts because they see themselves as not worth a hacker’s time and attention. However, this is an often disastrous assumption. For many digital media companies, the transition to worthwhile target size comes quickly. Take Snapchat, which grew rapidly from a 2011 startup to the target of a 2013 hack to, ultimately, a confirmed 2014 data breach victim.2 Other players may understand the importance of cybersecurity, but they suffer from a sharp disconnect between the quality and soundness of the cybersecurity program they think is in place and the facts on the ground. Too often, companies limit their security efforts to threats arising from external sources when, in reality, the risks are more prevalent from inside the house. Internal vulnerabilities — namely, a company’s employees — pose an even greater risk to companies’ data. Furthermore, most companies fail to instill cybersecurity into their corporate cultures, reinforcing the notion that information protection must be everyone’s responsibility. After all, data security at your company is only as strong as the weakest link in the chain. Data security at your company is only as strong as the weakest link in the chain. To create an adequate cybersecurity program, companies must start by acknowledging that ignorance is not bliss. Examining their internal data shortcomings in good faith, making sure that vendors who touch sensitive data are secure, and removing cultural obstacles to getting all these things done are the key steps in the process. Those who follow this path are much more likely to survive an attack, and may even turn cybersecurity into a source of competitive advantage. Payment card standard only a partial solution While customer data of all types make attractive targets for theft, among the most worrisome — and well-publicized — are those intended to steal credit card data. For merchants of all sizes who accept credit card payments — whether online or offline — the Payment Card Industry Data Security Standard (PCI DSS) includes requirements for handling consumer payment card information. For various reasons, however, many companies are falling short on compliance. The Verizon 2015 PCI Compliance Report,3 for example, found that while the average compliance with individual PCI DSS requirements continued to increase in 2014, 80% of companies still fell short of full compliance with the standards. What’s more, the wide variety in companies’ ability to meet individual PCI DSS requirements indicates many still don’t have a comprehensive data security program in place. Dangerously, some believe they are compliant with the PCI DSS even though they don’t fully understand the requirements. In addition, many organizations don’t realize that there are new requirements in the recently released PCI DSS 3.0 version of the standards — which, among other things, require companies to be more proactive in cybersecurity, require more documentation of companies’ data security efforts, and require businesses to scrutinize the data security protections of all of their service providers who might touch a credit card transaction. Even if fully implemented, by their nature PCI DSS requirements aren’t designed to prevent cyberattacks and offer digital media companies only limited protection. In addition, many cyberattacks are against companies designated Level 2, 3 or 4 merchants by the PCI DSS (those doing fewer than 6 million Visa transactions annually), which face less stringent compliance requirements than the largest companies. Ultimately, as the PCI DSS only addresses payment security card information, digital media companies should consider compliance with the standards just one element of achieving an appropriate level of cybersecurity. Other sorts of sensitive information in their possession, such as names, addresses, Social Security numbers or health care information, must be protected as well, to say nothing of sensitive intellectual property such as patents and trade secrets. In every data breach, a wide range of possible risks Data breaches pose a number of potential risks to digital media companies, some common across various sorts of businesses and others associated with specific industries. Among other things, digital media companies could face various legal and regulatory risks as a result of the exposure of customer data, including data breach notification requirements. While as yet there is no national requirement to notify consumers whose information has been compromised, most states now have some version of such laws in place. In addition, the White House has proposed new legislation, the Personal Data Notification & Protection Act, which seeks to standardize notification requirements for companies that experience data breaches. In addition to state requirements, some digital media companies dealing with consumer health information may also be subject to requirements under the notification requirements of the federal Health Insurance Portability and Accountability Act. Digital media companies handling the data of children or students might run afoul of the Children’s Online Privacy Protection Act or U.S. Department of Education guidelines related to the privacy of student information while using online educational services. And U.S. digital media companies with consumers and users in other countries might be subject to those countries’ privacy laws and regulations such as the European Union’s Data Protection Directive and EU-Privacy Directive. In addition to the regulatory risks, the threat of data breaches poses various other exposures for digital media companies, including financial risks associated with the loss of business or litigation, reputation risk or the risk of loss of consumer trust, the theft of proprietary information, websites being defaced or compromised by hackers, and consumers receiving fraudulent information as a result of a data breach. What should digital media companies do? At the heart of creating an effective cybersecurity program is the question “What data do I have and what do I do about it?” The first step is creating a data classification policy addressing which data in the company’s possession is sensitive and which is not, and what security levels are required to protect sensitive information. As important as this is, however, many companies have put off creating such policies because of the cost and effort involved.4 This process often involves a discovery phase of identifying what type of data you have and where it resides. Then the data (customer, employee, etc.) needs to be designated according to its sensitivity to the company. Once this is complete, the protection level for each classification level needs to be defined and agreed upon. Everyone at a digital media company should be involved in the cybersecurity effort. Once a digital media company has classified its data, here are a number of additional steps it should take to ensure that it’s securing that information effectively: Find and face internal risks head-on A company’s employees pose the single greatest cybersecurity risk by engaging in activities they shouldn’t, either intentionally or not. By failing to address employee-related vulnerabilities, many companies aren’t limiting access to their systems to the extent they think they are. Some common sources of data breaches include malware on an employee’s laptop, employees falling victim to phishing scams, hackers taking advantage of weak passwords and so-called watering hole attacks. Watering hole attacks involve hackers first gathering intelligence to identify trusted websites visited regularly by employees — a local restaurant from which employees frequently order lunch, for example — then placing malicious software on the trusted site with the goal of infecting the target company’s computers on future visits. Given the cybersecurity vulnerabilities presented by employee activities, it’s essential that well defined user policies are clearly communicated to employees. Enhancing employee awareness on the mechanisms of malware, phishing, spear phishing and social engineering attacks, as well as the continuous reinforcement of internal security policies, is critical to the creation of an effective security culture. The most security-conscious companies employ continuous vulnerability scanning and resiliency testing tools to shed light on existing vulnerabilities. Barring major investments in automated tools, small steps, such as encouraging employees to call out insecure practices by their coworkers (e.g., leaving desktop computers logged in and unattended, using unencrypted wireless while working, unregulated bring-your-own-device policies, poor coding practices), can go a long way toward embedding a security-conscious culture. Fix what you know is broken Most cyberattacks over the past two years have involved previously targeted vulnerabilities or weak passwords. Obviously, companies should patch identified vulnerabilities, require the use of strong passwords and consider enforcing two-factor authentication for administrative level access, in addition to conducting regular vulnerability scans. For smaller companies with limited resources, there should be a regular program of scanning for vulnerabilities and patching those discovered, even if they do nothing else. Digital media businesses also should consider implementing two-factor authentication, as well as encourage consumers to use strong passwords and familiarize themselves with privacy/security settings, where appropriate. Stay on top of vendors Digital media companies must also address third-party exposures. Vendor management is a risk for all businesses and, like others, digital media companies should understand from a risk perspective what every vendor is doing and whether they’re taking adequate steps to protect data. Companies should ensure that vendors who might handle their data are contractually obligated to protect data at the levels where it should be protected, and that those vendors are receiving the appropriate data security reports and independent reviews (such as PCI DSS, SOC 2 reports or ISO 27001) as appropriate. Make cybersecurity everyone’s responsibility While placing responsibility for the cybersecurity program with a chief information security officer is ideal, for many smaller digital media companies ultimate responsibility often resides with the IT director. Ultimately, though, everyone at a digital media company should be involved in the cybersecurity effort. A good guide is the National Institute of Standards and Technology’s cybersecurity framework,5 which suggests that cybersecurity responsibility should be clearly defined across the organization, with each department understanding its responsibility and having been trained accordingly. Generally, digital media businesses should review their cybersecurity programs annually, examining the program from a number of angles. Meanwhile, vulnerability management should be conducted continuously. Strive for continuous improvement With a cybersecurity program in place, there are a number of ways a digital media company can gauge its effectiveness and identify areas of needed improvements. Regular audits can provide valuable information about a cybersecurity program, and digital media companies should take the suggestions of independent auditors to heart. Digital media businesses can also include security measures among key performance indicators, tracking such things as time to patch vulnerabilities after they’re first discovered, findings from weekly cybersecurity status meetings, the time it takes the business to respond to a data security situation like a stolen laptop and the number of viruses detected per week. Cybersecurity in practice Netflix created a tool called Chaos Monkey to test the resilience and recoverability of its Amazon Web Services (AWS) cloud operations. Chaos Monkey randomly creates failures in the Netflix AWS architecture to test the company’s ability to respond to the outages. In 2012, Netflix released Chaos Monkey into the wild, making the source code available to others interested in using it to test their system resilience and recoverability.The benefits of proactive cybersecurity — for digital media companies, the time to act is now For digital media companies, the potential benefits of a proactive cybersecurity program are numerous. One is simply outrunning the bear, or at least competitors that are less prepared to deal with cybersecurity threats; by having a proactive approach to cybersecurity, you are able to effectively demonstrate to customers and other parties that you understand the seriousness of your responsibility for protecting their data. This, in turn, can translate to a market advantage by having a mature cybersecurity program and the audits to back it up. For a digital media company, proper emphasis on data security can provide a source of competitive advantage. An effective cybersecurity program also can be an asset if you’re looking to sell your business, while the lack of such a program might raise some troublesome issues as potential buyers conduct their due diligence. If a data breach does occur, having a practiced set of processes that facilitate a rapid response can certainly help limit damage (see “What to do after a data breach” sidebar). In the event of a breach, a solid cybersecurity plan also puts you in a much better position with regulators, customers and other stakeholders looking to assign blame. Given the importance of consumer data and trust to their businesses, digital media firms must put sound cybersecurity programs in place if they are to succeed. Those programs are best established early in a digital media company’s life when they can be created at lower cost, grow with the company and become part of its strategic thinking. While the potential consequences of failing to craft an effective cybersecurity program can be significant — even catastrophic — for a digital media company, proper emphasis on data security can provide a source of competitive advantage. What to do after a data breach For digital media companies, as with those in other businesses, it’s just a matter of time until a data breach occurs, whether the company realizes it or not. To minimize the fallout, organizations need to prepare their data breach response in advance. Companies should have a detailed data breach response plan in place, identifying key players in that response and establishing their responsibilities. Once the plan is in place, the company must train employees and test the plan regularly, making any necessary adjustments as needed. When a breach does occur, digital media companies should do the following: Notify proper authorities such as the FBI and others who might be appropriate to your industry Don’t make immediate changes to your systems — allow yourself time to determine exactly what happened and how the attack occurred Secure system logs — hackers will often try to alter them to cover their tracks. Preserve evidence Involve your public relations team, because the event may well draw both news and social media attention Advise the public of the steps you have taken to prevent a data breach and the steps you’re taking to address it, and assure them you’re taking further action to prevent future breaches Take advantage of existing incident response resources and guidance addressing such areas as business continuity and data security Download the PDF. Contacts Steven Perkins Managing Director Technology Industry Practice T +1 703 637 2830 E firstname.lastname@example.org Orus Dearman Director Business Advisory Services T +1 415 318 2240 E email@example.com 1 Kapersky Lab. IT Risk Survey 2014: A Business Approach to Managing Data Security Risks, 2014. See www.kaspersky.com for details. 2 Olivarez-Giles, Nathan. “Snapchat Data Breach Exposes Millions of Names, Phone Numbers,” The Wall Street Journal, Jan. 1, 2014. See www.wsj.com for details. 3 Verizon. Verizon 2015 PCI Compliance Report, 2015. 4 For more insight, see Skip Westfall’s article, “Unprepared Organizations Pay More for Cyberattacks,” originally published in Grant Thornton’s CorporateGovernor newsletter on Feb. 4, 2015. 5 Created through collaboration between industry and government, the Framework for Improving Critical Infrastructure Cybersecurity consists of standards, guidelines and practices to promote the protection of critical infrastructure.