In the past decade, media houses have embraced digital technologies that help them create and deliver news and information in innovative and compelling ways. In fact, it’s not a stretch to say that the digital revolution has fundamentally changed every aspect of media companies’ business and technology. With more consumers relying on the internet for their news and information consumption, media houses are tasked with providing a flawless user experience and continuous content delivery.

However, increasing reliance on digital technologies also opens up significant new risks that can impact the security and safety of journalists and reporters working as part of the media house. It also risks the content, data and business systems and can compromise any customer data that they may have for subscription-based monetization. If these risks are not mitigated, they represent a true existential threat to the media houses. The fact is, new and unfamiliar risks, combined with a spate of security breaches, have made security a board-level issue but what should have been a major focus for many companies’ senior leadership does not seem to have received its due attention from many media houses.

It’s more critical than ever for media houses to step up their efforts to safeguard their digital assets with a new, holistic approach to security that’s tailored to the unique context in which the companies operate. The policies must also keep pace with the ever-growing frequency and sophistication of attacks. Doing so is vital to not only their competitiveness, but also to their very survival.

In an report, Deloitte provides three case studies to understand the impact cyber attacks can have on media houses[1]. The report highlights that the online media industry is unique such that the sector itself can serve as a vector for launching attacks, due to the large number of people who use its services. They have also cited an example of this, which is the “watering hole” attack, in which hackers breach a popular website and then use it as a delivery platform for malware. The table below shows what the malware attack can look like.

News website is the launch pad for a banking malware outbreak

 

Organization

A company hosting a news website that ranks in the top 20 of most visited websites within the country it serves.

Scenario

Attackers used the website as a platform to spread malware. They established this by gaining access to a third-party advertisement system, which they then used to place infected advertisements on the news website. When clicked, the infected ads checked the user’s software version, and when a vulnerable version was found installed malware on the victim’s computer that would hijack banking transactions and steal card payment information.

Attackers and motivation

The complexity of the attacks and use of banking malware strongly suggest an organized crime group out for financial gain.

Techniques used

This attack used malware specifically designed to steal money from online banking users in the country where the website is hosted. How the attackers obtained the credentials to the third-party systems that distribute advertisements is not known, but once they gained access, it’s clear they used infected advertorials to spread the malware.

Business impact

As the launch pad for a large outbreak of banking malware, the organization’s reputation took a big hit. Also, since the organization makes almost all of its money from online media, its number one priority and challenge was to restore readers’ and advertisers’ trust in online advertisements.

[1] https://www2.deloitte.com/ba/en/pages/risk/articles/Online-media.html

To mitigate such risks, the media house must organise online safety workshops with their IT staff and journalists, particularly those who work on web desk and social media, in order to equip them with the tools and resources that they can use to keep themselves as well as their organisation safe from such attacks. Media houses can also engage digital security experts to guide and recommend policies to secure their communications and systems. The experts are dedicated to finding weak points in security systems and how they can come under attack while also recommending solutions and policies. The experts review the current overall cyber security strategy using their unique experience to ensure that it is fully aligned to the business risk appetite and threat profile of the company.