On April 5, 2015, Yves Bigot, the director-general of TV5Monde, was in the midst of a dinner with a fellow broadcaster, celebrating the launch of his company’s latest channel, when he received an unexpected volley of messages. All twelve TV5Monde channels were knocked off-air. A massive cyberattack was underway, infecting the stations’ equipment in rapid succession. If top technical staff had not been on site working to handle the new channel launch, and had they not acted quickly to unplug the source of the infection, TV5Monde might have lost all of its satellite distribution contracts due to the outage, placing the entire company in jeopardy.
Although few broadcasters have experienced a TV5Monde-level of attack, a host of entertainment companies, including Sony, Netflix and HBO, have also suffered at the hands of hackers. Odds are that an equally if not more devastating attack will hit another broadcast organization.
Broadcasters are just as vulnerable to cyberattacks and malware infections as any other business, government, or non-profit organization in the world. Virtually no aspect of radio, TV station, network operations is truly isolated from the internet. Every broadcaster has a host of digital connections with suppliers, customers, and audiences.
That’s why I’m gratified to have worked with the National Association of Broadcasters and a team of subject matter experts in the broadcasting industry over the past two years to create eight online courses that seek to equip broadcasters with the tools they need to create more secure workplaces. NAB will soon launch this series of vital courses on cybersecurity for broadcasters, starting with the first two, one of which walks broadcast managers and executives through the essential cybersecurity knowledge and skills they need. (The other course is designed to help the overall workforce adopt better cybersecurity habits.)
As nice as it would be to have a checklist of cybersecurity items to tick off and then be “one and done,” cybersecurity is an ongoing, ever-challenging fact of everyone’s life. There are no easy solutions, magic bullets, or single technology to keep your organization safe.
There are, however, sensible steps you can take as an executive to help guide your organization to practices that better protect your business and employees. here are just a few rules of the road covered in one of the two NAB courses launching this week that should help your organization find a better security posture.
1. Know Your Threat Landscape
It’s important for you to understand the current biggest cybersecurity threats to your organization, known in security circles as the threat landscape. Although your circumstances may differ, here are three top threats most broadcasters face:
Malware: All kinds of malware can infiltrate a broadcast organization’s assets. Ransomware is currently a constant battle for most broadcasters, but there are all kinds viruses, trojans, worms, backdoors, and spyware that can infiltrate your systems. It’s important to understand the different kinds of malware threats you face. According to research by AT&T, around 90% of all organizations in the U.S. experience a malware-related incident every year. The vast majority of malware finds its way into an organization from the actions of insiders. Most of these insiders were unaware that they brought malware in-house, having innocently clicked on maliciously crafted emails, or downloaded bad programs from the internet, or inserted a contaminated USB stick.
Advanced Persistent Threats: APTs or Advanced persistent threats are sophisticated threats from nation-states or organized cybercrime rings and typically take place silently and undetected for extended periods of time, sometimes even years.
The TV5Monde attackers, Russia’s APT28 group (the same group that hacked the Democrats during the 2016 election), had mapped out the computer networks and digital production systems that ran TV5Monde’s operations well in advance of the stations’ blackout. Experts speculate that the data obtained from this mapping required teams of telecommunications engineers, skilled coders, and expert tacticians to interpret the information and carry out the attack.
DDoS Attacks: DDoS attacks or distributed denial of service attacks are not terribly sophisticated threats but can shut down operations if not dealt with properly. According to AT&T 2016 research, 73% of organizations around the world have reported at least one DDoS attack.
2. Steer Your Organization to Risk-Based Management Approaches to Cybersecurity
Risk-based management involves understanding, analyzing, addressing, and communicating risks to ensure that your organization achieves its desired objectives. It is the practice of looking at what could go wrong and coming up with plans to minimize potential problems. Managing risks is a difficult, ongoing, and multivariable process that often requires the input of virtually every part of an organization’s operations. It is not easy to do but when it comes to cybersecurity, experts agree it is essential.
The most important guidepost when it comes to risk-based management of cybersecurity is the Framework for Improving Critical Infrastructure Cybersecurity, produced by the National Institute of Standards and Technology (NIST). The NIST Framework delves extensively into many different aspects of cyber risk management.
While most non-technical broadcast managers and executives don’t need to dive into the Framework on a practical or comprehensive basis, it is very useful to understand the high points of the Framework to better guide your organization’s cybersecurity strategy. It is also a handy tool in understanding emerging cybersecurity insurance policies, negotiating with outside vendors, and communicating with outside stakeholders – the press, government and citizen groups – when cybersecurity incidents do occur.
3. Protect and Secure Personal Data
Although many broadcasters don’t fully see themselves as being in the personal data collection game, all broadcasters maintain some personal data within their organizations, even if only employee and contractor personal data. But as broadcasters increasingly push into expanded digital platforms such as mobile apps, streaming audio, streaming video, and dedicated websites, more and more personal data become part of the broadcast business world.
Moreover, the new ATSC 3.0 standard supports the ability to collect private data with the dedicated return channel from other backchannels, such as the Internet. Finally, the growing delivery of broadcaster content over smart TVs means that broadcasters will have to manage even more personal data.
Senior organization executives are increasingly held responsible for protecting the privacy of the personal information retained by organizations. The steps managers, executives, and other leaders take to ensure privacy protection can be greatly aided by how data privacy and security practices are treated within the organization’s risk-based cybersecurity practices, as exemplified by the NIST Cybersecurity Framework and another important NIST framework, the Risk Management Framework.
Furthermore, regulatory requirements to protect personal data are ramping up across the globe, with the changes likely affecting your organization. Chief among these regulatory shifts is the European Union’s General Data Privacy Regulation (GDPR). The GDPR not only applies to organizations in the EU but also to organizations outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects.
4. Foster a Culture of Cybersecurity
Perhaps the single most important role a manager or executive can fill when it comes to cybersecurity is fostering a culture that favors secure operations, making the integrity and ongoing reliability of operations a priority on par with financial targets. Although the technical difficulties and costs of implementing security can seem less important than achieving near-term business goals, bear in mind how quickly a severe cyberattack can threaten revenues, spike expenses, and expose broadcasters to long-term liabilities.
According to the Ponemon Institute, the average price for small businesses to clean up after a cyberattack stands at $690,000. For medium-sized companies, that cost rises to over $1 million. For large organizations, the cost of a severe cyberattack can even reach tens of millions.
Fostering a culture of cybersecurity covers a wide canvas of management support techniques and activities, including
- Prioritize cybersecurity outside of IT roles by bringing IT and cybersecurity experts into business conversations from the outset.
- Establish a culture of personal integrity and reliability by establishing acceptable use policies and guidelines, creating a safe environment for employees to self-report security incidents free from negative ramifications, communicating consistently across the organization about the need for security integrity, and rewarding and empowering employees for identifying security issues.
- Support awareness and training programs because poorly educated employees can be one of the biggest threats. Therefore, enhancing cyber awareness among employees can be one of the best defenses any organization has.
- Establish the right metrics to track effectiveness of cybersecurity efforts because if you don’t, you might end up continually make the same mistakes.
5. Evaluate New Technologies for Cybersecurity When Building Budgets
As threats rise, evolve, mutate, expand and recede, a good cybersecurity culture accommodates flexibility in drawing up new technology and purchasing contingency plans in shorter windows than most managers and executives have experienced in the past.
6. Support Investment in Necessary Cybersecurity Tools
If it isn’t already, cybersecurity spending should be part of any broadcaster’s yearly cost management process. When drawing up budgets, it’s most helpful to prioritize investments in the tools that ensure greater information security even though the expenditures may not enhance the bottom line in the short-term.
7. Prepare for the Threats Ahead
The greatest unknown - and the biggest threat to security - is the introduction of new technology. For broadcasters, the biggest technology shifts also radically increase the “attack surface” or areas where hackers can infiltrate your systems and assets. It’s important to build in cybersecurity protections as your organization embraces the Internet of things, cloud migration, and the integration of multiple screens for content and services.
TV5Monde had a lot of clean-up to do after its devastating cyberattack. Weeks went by before the company was able to transmit anything other than pre-recorded programming due to the massive damage caused by the attack. TV5Monde incurred 10 million euros (or nearly $11 million) in immediate unanticipated costs and likely lost even more in unrealized revenue. Hindsight is of course 20/20, but it’s possible had TV5Monde followed these and other crucial cybersecurity steps, they might have dodged some of the more catastrophic aspects of this unprecedented attack.
To learn more about these and other ideas and practices that broadcast executives can put into place for better cybersecurity management, check out NAB’s course “Broadcast Executive Guide to Cybersecurity” here.
For those interested in a written companion to this course, please visit https://metacurity.com/essential-reports/.
Cynthia Brumfield, president of DCT Associates, is a veteran media, communications and technology analyst who is now focused almost exclusively on the emerging field of information security, writing extensively about the topic for publications, clients and on her own cybersecurity news aggregation site Metacurity.com.