Businesses around the world are increasingly under threat from cyberattacks, and the news media industry is especially vulnerable. In a recent global survey of media IT executives, more than 50 percent reported experiencing a cyberattack or data breach within the past two years.
The October 2015 study, conducted by NEWSCYCLE Solutions, surveyed 110 senior technology managers, CTOs, CIOs, and IT directors working at newspapers and online news publishing companies throughout the world. The survey found that 52 percent of news media companies were hacked or suffered a data breach since the beginning of 2014. Another 12 percent were not certain if their businesses had been attacked or compromised, while 37 percent suffered no attacks.
The most common type of cyberattack reported is phishing (59 percent), followed by malware (51 percent) and Distributed Denial of Service attacks (49 percent).
Distributed Denial of Service (DDoS) attacks pose a particular concern to news media companies as so-called hacktivists attempt to take over media websites for political purposes. DDoS attacks are also frequently used to mask or divert attention from other malicious activity. The survey results are consistent with an extensive 2014 Kaspersky Lab study, which found that 42 percent of media companies experienced some form of DDoS attack within the past 12 months.
Other types of cyberattacks reported by IT executives in the NEWSCYCLE survey included SQL injection, ransomware (e.g. the CryptoLocker virus), and hacking of mobile sites and social media channels.
Several companies reported incidents where remote access to a user’s workstation was given to unauthorized individuals. As one respondent describes it, “We bolster our systems to prevent cyberattacks, yet we find that social engineering ploys against users will sometimes get past these systems. The user goes to a website promising a reward, or opens an email carrying an unwanted payload. This is so simple and requires no complex ‘hacking’ or insider knowledge; the users will open the door for them.”
In the face of the growing threat of cyberattack, 65 percent of respondents said that their companies have increased the focus on cybersecurity in the past six months. When asked to identify one or more factors contributing to this increased focus as a business priority, the following were cited:
- Growing concern and awareness that news media companies are targets for cyberattacks and data breaches (56 percent)
- The business has changed — more social media, more mobile, more cloud hosting, more self-service, etc. — and publishers need to be more vigilant than ever (53 percent)
- Potential loss in reputation as a result of such attacks and breaches (45 percent)
- Regulatory or compliance requirements, or pressure from financial institutions (41 percent)
- An increase in external threats within our own media company or group (35 percent)
- Financial costs associated with cyber-attacks and data breaches (31 percent)
When asked to list the types of information that are at risk, 73 percent said they are most concerned about personally identifiable information (PII) being breached or compromised. In addition, 70 percent say they are concerned about breaches in financial information or banking credentials. Hacking of subscriber and customer data is cited by 62 percent of respondents, and advertising data is listed by 39 percent. Sensitive corporate information (business plans, M&A plans, marketing data, etc.) is cited by 34 percent of respondents, and 32 percent say they are concerned about news and editorial content being compromised.
Looking forward, 59 percent of respondents predict that a cyberattack against their media company is likely or very likely to occur in 2016. Another 29 percent said that an attack was not very likely or not likely at all, while 11 percent are uncertain.
Nevertheless, 45 percent of media companies in the survey have an active data security awareness program for all employees. Another 16 percent said they are planning to implement an employee security awareness program in the future.
It was somewhat surprising to find that 39 percent of media companies surveyed do not have a security awareness program in place today. In addition, 48 percent indicate that their company does not currently employ someone whose main function is to oversee cybersecurity or information security.
This finding is again consistent with the 2014 Survey of Global IT Security Risks by Kaspersky Lab, which found that only 38 percent of media companies surveyed were actively taking DDoS countermeasures. In another 2015 study by RAM (Research and Analysis of Media), cybersecurity was not mentioned once as an “Absolutely Critical Priority” or even as a “Very Important Issue” by any of the 285 news media executives surveyed.
“Our industry is under siege,” commented one Vice President of Technology who participated in the NEWSCYCLE survey. “Ideally, we would unplug our computers from the outside world, but our business depends on the constant exchange of information between our content and our communities.”
This comment highlights the challenge for news media executives everywhere. With cyberattacks and data breaches continuing to grow in scale, sophistication and frequency, publishers must take every step possible to protect themselves from those who seek to silence their voices and steal their valuable data. But, to be successful, cybersecurity must become a board-level priority for all news media businesses. It’s a war. It’s spreading. And, every user must become part of the fight.