- Tools & Templates
- Security Jobs
- Data Protection
- Identity & Access
- Business Continuity
- Physical Security
- Security Leadership
Why media companies stink at security
Recent attacks on the New York Times and other papers reveal a security weakness I'm all too familiar with.
I've been following the recent attacks on The New York Times and other newspapers with much interest in recent days. It's yet another snapshot of how much trouble China will continue to be in the years to come and elevates the discussion on state-sponsored cyber attacks to new levels. But as someone who has worked in the media for almost 20 years, I'm interested in this story because it exposes an uncomfortable truth I've actually known about for some time:
When it comes to security, few industries are worse off than the media.
I'm not talking about the IT security departments at these companies. In the case of the NYT, I think the security team did an excellent job at getting a handle on the situation and fighting back. No, I'm talking about the newsroom culture and the dangers reporters and editors ignore in their pursuit of content. I admit straightaway that I'm guilty of being part of it over the years.
The second story I link to in the sidebar above notes that security vendors need to do a better job to protect private enterprise from state-sponsored attacks. But in the case of the media, it's not quite that simple.
Like the halls of academia, media organizations are all about the free flow of information. Editors and reporters are always trying to access photos, video and documents for the stories they're working on. For someone under a newspaper deadline who needs to acquire a picture some bystander took from their cell phone at the scene of a fire or shooting, the overriding concern is to get a copy of the picture, which usually comes in as an email attachment.
Those of us who focus on information security can see the danger straightaway: Attachments like that are easily infected with malicious code along the way, and downloading it puts the newspaper at risk for a nasty network infection and data breach. In that regard, I agree with the story above. Simple AV and firewalls no longer cut it.
About now you're thinking that I'm off target, that this isn't about infected email attachments. It's about Advanced Persistent Threats (APTs) and the need to improve defenses against that. But the point is the same: Whether it's a simple run-of-the-mill infection or massive attacks, media professionals are going to be more resistant to tighter security than banks and government agencies. And we've seen how lousy security is in those government agencies.
For media organizations to deal with these attacks more effectively, a change in attitude is required.
I'm not saying they abandon the get-the-information-at-all-costs mindset. I am suggesting reporters and editors can be made more aware of the dangers that come with their craft. They need better security tools to watch for infected data to be sure. But they also need to reach a point where they're always thinking about the potential malware hiding in the information flowing into their newsrooms.
With better awareness and understanding of how security threats and defensive measures work, I think news organizations can find an acceptable balance between the need for information access and the need to protect its systems.
Thanks to cloud computing, your business data is everywhere and being accessed by everyone. Making the wrong decision to protect your data can result in high costs, increased risk and executive exposure. View this live webinar on cloud security and the evolving data center, and learn why a data-centric approach to security is the best bet for today's virtual environment.
- Prevent Mobile Devices from Loading Dangerous Code
- Expanding Your Security Perimeter: Common Sense for Navigating Today's Threat Landscape
- Continuous Monitoring and Mitigation -- the New InfoSec Frontier
- RSA Security Analytics Case Study
- VMware Cloud Credits Program
- Insights from the 2013 IBM Chief Information Security Officer Assessment
- Cloud-based Cyber Security: A Hybrid Approach to Threat Detection and DDoS Mitigation IDC Technology Spotlight
- How Identity and Access Intelligence Will Revolutionize IAM
- Leveraging Managed Security Services to Fight Growing Cybersecurity Threats
- Global IT Trends: IT Outsourcing Fuels Business Growth
- Defending Against Increasingly Sophisticated Cyber Attacks
- Rethinking Your Enterprise Security - Critical Priorities to Consider