Davide Del Vecchio
Group Cyber Security Senior Director - Deltatre
Even with the global cost of online crime reaching $6 trillion by 2021.
Even with 50% more cyber-attacks per week on corporate networks in 2021.
Even with the world’s most influential technology leaders claiming cybercrime to be the greatest threat to every company in the world.
…the fact of the matter is most broadcasters are woefully underprepared when it comes to protecting their businesses from cyber-attacks. And this is a big problem.
First, some scene-setting. What is the current status quo? Most broadcast entities approach online security in an equivalent manner - preventing the disruption of service. If an attacker gets through the door, keeping the lights, camera and action rolling is the number one priority.
In practice this has meant an expensive mixture of temporary, secondary, or tertiary systems or locations, multiple backups/routes, auto failover, automation, move to cloud-based platforms, and so on. Re-routing or restarting from a broken or compromised system/location/feed to another with the audience none the wiser might have worked in the past but may not with be enough to deter today’s cyber bad actors.
Consider this. Many well-developed cyber-attacks today are not designed to break anything - at least permanently. The objective is frequently to delay, interrupt, interfere or subdue. And to do so temporarily or frequently in short periods, so that broadcaster’s ability to detect and respond is limited, but the impact, on content availability, monetization or performance quality is high.
If you are an attacker your aim is to create a window that you can exploit.
This is made easier by the fact that most broadcasters simply do not have a handle on what assets they have or how these can potentially be compromised when used in the field. The rapid move to automation, particularly with systems and applications deployed in cloud-based platforms, means that gains broadcasters can make through speed and flexibility are often offset by the loss of skilled intervention ability. Cyber security defence processes are often outdated and not aligned with the fast-moving threat vectors that attackers seek to exploit in broadcast environments.
It would not take an attacker too much effort to deploy a rouge wi-fi access point or APN (access point name) near frequently used broadcast locations or locations in remote areas to potentially access location staff devices.
Multiply this across hundreds of reporters, using thousands of pieces of equipment that are used for years and never retired. It is a hacker’s dream.
Why does all of this happen?
The reality is that most executive teams are focused on improving content impact and viewer consumption and - while they are keenly aware of increasing the resilience of their business against cyberattacks - the proliferation of attacks and breaches (according to the Digital Shadows Research Team there are 24.6 billion stolen credential pairs available for sale on the dark web, most of which were exposed in the past year) has led many to become ‘cyber-fatigued.’
This can often result in the view that cyber-attacks are a necessary cost of doing business in the modern broadcast age, and they should just stay focused on outperforming their competitors.
This is slowly starting to change but the industry has a long way still to go.
So - what is the solution to building a modern-day cybersecurity strategy? Our recommended approach is broken down into five steps.
First, accept that the default of secondary or tertiary systems/applications/routes/feed, etc is no longer by itself fit for purpose in establishing business resilience. As the sophistication of attacks evolve, so too does the mindset of broadcasters around how to prepare for them.
Second, conduct a robust threat modelling activity. During this process, it is important to identify what kind of cyber threats are a realistic risk, how well-equipped the business is to handle them, and where gaps exist in your response plan.
Third, audit your equipment. Catalogue the technology used to run your business, what it is connected to, whether it is patched and when it needs to be retired. Banks do this incredibly well.
Fourth, introduce a level of monitoring that can differentiate between the noise and the signals. Most of the clients we work with start with just focussing on the former with a single monitoring tool. But the key to a successful cyber security response plan is being able to connect the breadcrumbs across internal platforms, the dark web, external intelligence services and SOCs to identify what may be coming around the corner.
Fifth, develop an agile response plan around a security team that sits outside of the typical organisational structure. We have seen many instances of cyber-attack where the impact has been made more severe simply by an inability to move quickly. The traditional response mechanism - build a war room, figure out what is going on, assign responsibility - just does not match the agility of a would-be hacker.
Instead, broadcasters need a Tiger Team of video engineering, specialist application developers and security professionals who are running regular training scenarios throughout the year and stand ready to respond to attacks immediately.
However this team is placed within the organisation, it should have a reporting line into the CEO/COO. This is important as it allows executive decisions to be made quickly against accurate available information. Lack of this is what former TalkTalk CEO, Dido Harding, cited as being the most significant issue in dealing with the 2015 security breach at the telecommunications company.
Success in cybersecurity requires a fundamental shift in mindset on what the modern-day threat profile looks like and investing appropriately to address what are widespread vulnerabilities in the broadcast space. Addressing these five points is a necessary first step in building business resiliency.
- Business Models
- Supply Chain
- Digital Transformation
- Rights & Legal
- Data Privacy & Management
- Security (e.g. Cyber, Encryption, Conditional Access etc)