18 Dec Why Media Production is a Cyber Attack Target in 2018
If 2017 proved one thing, it is that there is no limit to the incompetence of companies in protecting the data they store, even if their own existence depends on it.
As one US Congressman told the ex-CEO of credit reference agency, Equifax, “I don’t think we can pass a law that fixes stupid.” That was in response to a vast data breach caused, according to the company, by one person’s failure to tell anyone that an essential software program needed to be updated.
But the tide is turning. There is a growing corporate awareness that this type of failure – and the sort of extraordinarily inept response demonstrated by Equifax – are not acceptable.
In the EU, the enforcement from next May of the General Data Protection Regulation will provide more appropriate punishments for anyone who fails to protect the personal data of EU residents. And those penalties will extend to the world as a whole.
Fines of up to €20M or 4% of a group’s annual turnover will certainly help to concentrate minds – but they are not the key element of the new regulation.
Regulators have signalled that they will not start handing out swingeing penalties the moment the GDPR comes into force. But they will look for evidence that companies have put information security and data protection at the heart of their operations.
When we talk to businesses about how to do this, we describe a process of building digital security into the fabric of the organisation. This type of security affects us all, both at work and at home, so it makes obvious sense to make it part of our everyday conversations. Every week throws up amusing, terrifying, ludicrous examples that provide conversation starters!
That ongoing discussion is essential because of the constantly evolving nature of threats and how to respond to them. Information Security and Data Protection really are a journey not a destination and it’s essential that everyone is part of that process.
But we recognise how challenging this may seem, especially for organisations which do not have a dedicated Information Security team. In many instances, we have found a completely understandable tendency to rely on the strength of numbers and assume attackers will focus on larger targets.
Doubtless, a small but successful audio post house in Los Angeles didn’t expect to wake up last Christmas to find themselves held to ransom over the latest series of ‘Orange is the New Black’.
The reality is that the interlinked nature of modern business means that everyone is a target and that’s especially true in media production.
We will see more such attacks in 2018 – and we will see the theft of more tools to enable them to take place. Just as organisations have proved incapable of protecting the data they possess, so governments have failed to stop cyber weapons leaking into the open.
This makes it inevitable that there will be more incidents like the Wannacry ransomware attack. It is now too easy to rent the tools to launch attacks (termed “Crime as a Service or CaaS”). This means no technical expertise is required to become a cyber criminal. The money that can be earned makes it certain this trend will continue to grow.
In the face of threats, it’s essential to remember that we can blunt the edge of such attacks. Both as individuals and businesses, we must focus on the basics and make sure they’re done right. 100% Information Security may be unattainable but it is absolutely possible to reduce radically the threats we face.
This does not involve huge investment, either in time or technology. It does mean making Information Security a key objective for the business so that there is a firm foundation formed of user awareness, effective data and hardware management, and realistic governance.
Governments offer free but valuable advice in how to do this. In the UK, the National Cyber Security Centre produces a comprehensive guide for small businesses. The US equivalent does likewise. These resources are very effective in making information security manageable while recognising that it can seem daunting (in this, the UK is rather more successful than the US .)
In our own courses, we have an absolute ban on jargon – to the extent that we put £20 on the table and invite participants to fine us if we use terms that aren’t explained or understood. We know talking clearly and simply about information security works because people tell us so.
2018 will be challenging because there are too many tools and too much information available to target us at work and at home. But, by focusing on the basics, we have the power to reduce the effectiveness of such attacks. The real challenge for 2018 is to make sure we use that power.
If you would like learn more about cyber security and the steps you need to take, please register for our Cyber Awareness training.
*This article is written by Martin Turner, Managing Director of Full Frame Technology.