Journalists, be afraid. Be very afraid. You are targets for cyber criminals who want to steal your personal identities. In fact, you are the prime access points for these so-called hacktivists, who will use your compromised account information to infiltrate your network and attempt to control your media company’s editorial voice.
A recent PricewaterhouseCoopers (PwC) report on security and the media industry states that, “Employees pose the single greatest cybersecurity risk through malware, phishing, weak passwords and social engineering attacks.” At the same time, an independent study by software research group Kaspersky Lab found that 42 percent of media companies were hacked in 2015. And, our own study of 110 global news media company executives found that 53 percent were attacked since the beginning of 2014.
Everyone at a digital media company should be responsible for cybersecurity. Journalists are particularly at risk because much of your work is done outside the office, away from the watchful eyes of the IT shepherds who safeguard your internal network infrastructure. The same could be said for ad salespeople, dealer managers and others in your organization who conduct business in the community. With this in mind, here are three key steps that every news media employee can take to guard against cyber-attacks while at work, on the road, and at home.
Get Serious About $7RONG P@55WORDS
The PwC media industry report notes that, “Most cyberattacks against this industry involve previously targeted vulnerabilities or weak passwords.” Recent breaches against news media companies in the United States, Canada, Brazil and the United Kingdom were all traced back to compromised email addresses and passwords of registered users.
At the risk of over-generalizing, Carnegie Mellon University found that college graduates with degrees in computer science, engineering and technology use considerably stronger passwords than graduates with degrees in business, humanities, communications and arts. As a result, an experienced hacker could decipher 124 business passwords for every 68 computer science passwords.
So, avoid passwords with your pet’s name, your child’s name, significant dates (birthday or anniversary), your birthplace, or even your favorite sports team. All these can be determined from information that’s publicly available or gleaned from your blog postings and social media profiles. Of course, you should also avoid “12345”, “123456”, “password”, and “qwerty”, which rank among the top ten most common user passwords.
Software companies like Google, Microsoft and Adobe recommend that strong passwords should be constructed from phrases that are easy for you to recall. Substitute numbers and symbols for letters or words in an easy-to-remember phrase. Examples might be “ILuv2PlayB@seb@ll” or “1Forrest1” or some derivative of your favorite song lyrics.
Finally, Google offers this common sense advice on how to remember your password while also keeping it secure: “Don’t leave notes with your passwords to various sites on your computer or desk. People can easily steal this information and use it to compromise your account. If you decide to save your passwords in a file on your computer, create a unique name for the file – not ‘my password’ – so people don’t know what’s inside.”
No Five-Second Rule for USB Drives
In October 2015, researchers from IT industry association CompTIA conducted a “USB Drop” social experiment across several major US cities. A total of 200 unbranded USB drives were dropped in high-traffic public spaces such as airports, coffee shops and business districts. Each USB stick was preprogrammed with a trackable link, enabling the researchers to determine that a whopping 18 percent of people who picked up the USB drives plugged them into their devices and clicked on the link.
In other words, according to Infosecurity Magazine, “Nearly one in five people who found a random USB stick in a public setting proceeded to use the drive in ways that posed cybersecurity risks to their personal devices and information and potentially, that of their employer.”
USB drives are ideal vehicles for malware and hacktivists. Because most anti-virus programs do not scan the actual firmware of a USB device, malware payloads cannot be easily detected. When you plug an infected USB drive into a computer, the hacker can track keystrokes, steal information, and even gain access to critical data stored on your company’s servers. The simple solution here is to run a complete scan – firmware and memory – on every USB device before connecting it to your computer.
USB drives are also notoriously easy to lose or misplace. Sensitive files, notes, sources and contact information can fall into the wrong hands. Again, there is a simple way to guard your USB drives from potential threat. Every PC or Macintosh computer has a built-in function to encrypt a USB drive. You can access these encryption options by right-clicking (Windows) or from the Finder (Macintosh). In both cases, you will be able to assign a secure password to your USB device, which protects the data on the drive if it’s lost or stolen.
Consider a New Web Browser
As a journalist, you often do your job in open places, where public Wi-Fi connections and roving eyes abound. You rely on your browser software to access critical information on the road, just as you do while in the office or at home. The most popular browsers – including Internet Explorer, Chrome and Firefox – all claim to be secure because they offer a “privacy mode” option and because you can tweak the settings to increase or decrease security levels.
At the same time, the popularity of these browsers make them perfect targets for cyber-attackers. Hackers and cybercriminals, for example, recently exposed flaws in Microsoft’s Internet Explorer to penetrate computers by discovering what kinds of security software they are running.
You might consider switching to one of the newer – less common – browsers, most of which are available at no cost to download and use. They include Tor (torproject.org), Epic (epicbrowser.com), Dragon (comodo.com), and Dooble (dooble.sourceforge.net).
Each of these products takes a minimalist approach to web browsing, where features are stripped out or turned off by default in order to maximize privacy. Cookies and trackers are automatically removed after each session, and no information is collected about each user. Ads are blocked and browser history is disabled by default. And, all searches are proxied through private servers, which means there is no way for a hacker to grab your IP address when searching. For journalists who spend a lot of time in locales where there are open Wi-Fi connections, these new browsers give top priority to finding secure SSL connections wherever possible.
If you’re not ready to give up your favorite browser, there are also extensions available for Chrome, Firefox, etc. to provide security features that go beyond what’s available in the core software. HTTPS Everywhere (eff.org), for example, is a browser plug-in that automatically enforces SSL security whenever you attempt a Wi-Fi connection. It also helps to ensure that you will not be inadvertently redirected to non-HTTPS pages during your browser session.
Another option – especially for journalists who are not able to connect to their home servers via VPNs or firewalls – is to install an app that monitors network activity against potential hackers. One such application is Little Snitch, which provides automatic, behind-the-scenes protection against activities that attempt to connect you to outside servers without your knowledge. Little Snitch (obdev.at) is smart enough to know which of your connections are known and trusted, and which ones are potentially fraudulent. If a hacker attempts to penetrate your Mac or PC laptop, Little Snitch will immediately stop the connection and warn you of the possible breach.
In closing, please notice what global auditing and advisory firm Grant Thornton said in their own 2015 independent study on cybersecurity and the media industry: “Most companies have not yet made cybersecurity part of their corporate cultures. Information protection must be everyone’s responsibility. After all, data security at your company is only as strong as the weakest link in the chain.”
Over 60 percent of all news media companies we surveyed predicted a cyberattack on their business is likely to occur in 2016. It’s important to remember that every journalist is the first line of defense against those who would seek to silence or control your editorial voice.
With this in mind, consider the three examples above as quick wins that every journalist can implement right away. We’d love to get your comments on any other tips and tactics you are using to help ensure your own personal cybersecurity.