Ever since the internet emerged as a public information gateway, thieves and pranksters have been working to exploit it for criminal gain. Today, cyber-crime is a billion-dollar industry. The perpetrators are no longer lone wolf hackers; they are multi-national cartels who reap mega-profits. They target companies large and small across all industries, inflicting devastating damage to their reputations and bottom lines.
Just last week, Uber disclosed that it paid hackers $100,000 to conceal a data breach affecting 57 million accounts, the latest in a string of scandals and legal problems for the world’s most highly valued start-up. The ride-hailing firm said it fired its chief security officer and deputy for their roles in the breach and the cover up.
Given the existential nature of the threat, it’s surprising to find that, according to a study by NCC Group, only 13 percent of CEOs are directly responsible for managing their company’s cyber risk. Many executives assume such things are the responsibility of IT staff. When hearing of a newswire report of a high-profile cyber-crime incident, they imagine “it can’t happen here.” Unfortunately, when it comes to cyber-crime, it can happen to any company and, sooner or later, almost certainly will.
To avoid becoming yet another victim, companies need to adopt strategies and procedures that reduce risk. And it must be a top-down approach. Lower-level staff often lack the decision making and budgetary authority to set company-wide policy believing, “That’s the board’s job.”
Board members have a real incentive for taking the lead in cyber security: they may be held personally accountable for a breach. Increasingly, governments and stockholders are demanding greater accountability for security issues, considering it an integral part of the directors’ code of conduct.
Uber’s woes followed the Equifax breach that compromised the security of 143 million Americans and was similarly kept quiet for months. There is a view that the three Equifax officers could face charges for selling stock, whether knowingly or not, before the breach was disclosed.
The WannaCry ransomware attack that appeared last May infected more than 230,000 computers worldwide. The subsequent Petya and Bad Rabbit ransomware attacks produced similar consequences. Information security firm Sophos claims “Thought WannaCry was bad? You ain't seen nothing yet” and forecasts that the perpetrators’ success will embolden others and ransomware will get much worse in 2018.
Criminals who write ransomware and other malicious software are now operating what amounts to profitable franchise businesses, selling their source code to others with criminal intent. They have no lack of buyers because cyber-crime pays. Some 40% of businesses admit to paying ‘affordable’ ransoms to avoid costly downtime and negative publicity.
Executives can avoid finding themselves in a similar position by assuming greater responsibility for security policy. In the entertainment industry, studios could limit the risk of piracy and ransomware by mandating stronger and more practical security protocols. They could, for example, make funding for each film or TV production contingent on having a line item of security expenditure for measures that will be enforced. Producers and directors, who often have autonomy in running their projects, would be required to make itemised security a part of the package.
To fully protect a computer, it would need to be disconnected, switched off, placed in metal box and locked in a room. That would make it safe, but also useless. Today’s media and entertainment industry is built on collaborative workflows across many external organizations and people, consequently with many inherent points of vulnerability. Services such as localization, sound and picture editing (often through freelancers), promotional marketing and distribution, are regularly undertaken by third parties, any one of whose workflows could potentially make a breach more likely.
While trust in the selection of the workflow partner is implicit, accidents happen and, as we seem to read every day, all companies are vulnerable to a breach. Think of a valet who parks your car. You trust the valet service but without a reliable lock and alarm system on your vehicle, you are increasing the risk of theft or damage while it’s in their care.
There are a range of practical measures that help reduce the risk of cybercrime within an organization. Among the most important is the education, training and awareness of employees, including executives and the board. Encryption “at-rest” and “in-motion” have long been mandated by MPAA guidelines, but surprisingly they are not always employed. Encryption-at-rest, such as Fortium’s MediaSeal software, keeps data encrypted while it’s being worked on or stored. If protected files are accidentally distributed or hacked the content cannot be leaked.
Piracy, ransomware and other forms of cyber-crime are serious and growing problems and can potentially threaten a company’s continued viability. IBM CEO Ginni Rometty has called cyber-crime “the greatest threat to every company in the world.”
CEOs and board members need to be cognizant of the threat, treat it seriously and understand that a rigorous, top-down security strategy can help reduce risk.