The media’s impact on cyber securityBy Joseph Walsh,
When it comes to cyber security, the media can be a friend or an enemy to an organisation that suffers an attack. Here’s how to make sure you don’t end up in the headlines.
The current state of affairs
In regards to cyber security, the media’s traditionally been most interested in stories of criminal activity. It’s often reported, for example, when there’s a huge amount of customer credit card data stolen.
A recent report, jointly authored by the National Cyber Security Centre and the National Crime Agency, reinforces the fact that risks to businesses continue to grow, and reveals that criminals are launching more online attacks on UK businesses than ever before. It signposts emerging threats, too, such as theft from cloud storage and cryptojacking to generate crypto currencies such as Bitcoin — events that are bound to make their way into the headlines.
But we’re now seeing a shift in this focus on purely criminal activity. Sure, ransomware attacks like WannaCry and Petya are still making huge headlines, but other incidents are also featured as major news. Nation-state attacks and hacktivism are just two examples. Even the US election last year, with the planting and spreading of false media (fake news) through outlets like Facebook, could be seen as an example of a well-reported cyber scam.
Where to be wary
For the media, a story is a story, and it makes sense to always go after news that grabs the public’s attention. In some instances, the media does overplay the cyber threat — but that comes as no surprise; there’s still, after all, an unfamiliarity with cyber security. And when there’s a touch of espionage involved, it’s easy to sensationalise.
This means that you need to look at how attractive a story it would make to the media if you were to experience a breach. That way, you can plan for the eventuality and employ standard practices to make sure a breach is less likely.
If you don’t, and the media do pick up on your breach, the ramifications can be catastrophic. Just think about the attacks that happened years ago, that we still talk about today — Sony, Target, Mondelez. You don’t want that kind of negative connotation, and damage to your reputation.
The media can also be used as an unwitting threat actor. Again, look at the US election — where we know that the media was fed bad news from a variety of sources. The precise impact of this on the end result will always be unclear. But we know for sure that manufactured news stories, designed to incite a particular reaction from the public and the media, did make a difference. And this was on a huge scale, affecting the most important democratic event in the world’s most powerful country.
This same tactic could be used in the corporate world. Imagine the impact if companies started weaponising the media as a tactic to damage rivals; leaking data or emails to create a negative image of another company, for example.
You would always hope that companies wouldn’t act in this way. However, the reality is that in a globally competitive world, there is the potential for malicious conduct to take place.
How to stay secure — and out of the headlines
Today, the data most at risk could well be that which we don’t protect sufficiently. Think about that casual text from CIO to CEO about an upcoming merger. If data like this is used to manufacture negative media headlines, it would cause real damage to an organisation. So ask yourself: how do we go about securing data which, previously, we didn’t think we needed to secure, in light of the media’s power to create havoc for organisations?
It’s also important to note that there’s a dangerous line between assuring customers their data is safe publicly, and saying you’re following best practice. One company at RSA last year displayed a billboard image of its device, claiming: “we can keep you safe from anything”. In reality, there is no device in the world that secure, except one that isn’t connected to anything. Making a claim that you can keep customers 100 per cent secure, only to have their data stolen from underneath you, is a recipe for PR disaster.
A better way to reassure customers is to highlight the positive things you’re doing. For example: “we’re actively working with governments to stay secure”; or: “we’ve implemented standard security frameworks like NIST”. Only companies that are constantly evolving their approach to security will be able to reassure customers and the media that they are doing their utmost to protect people’s data.
Put simply, there’s a wide range of information that can be used against your company — and only by continuing on the never-ending cyber-security journey, can you give yourself the best chance of staying secure.