(Mathew Gilliat-Smith will be presenting at the April 7 Cybersecurity & Content Protection Summit in Las Vegas)
By Chris Johnson, CEO and President, and Mathew Gilliat-Smith, Consultant, Convergent Risks –
As major brands continue to announce significant data breaches, almost on a weekly basis, what practical steps should you take to reduce the risk of being next? At the time of writing this article Google+, Facebook and British Airways are three of the recent high-profile organizations to fall victim to compromise in as many weeks.
But what about the small and medium enterprises – “SMEs” – that do not make the news? They suffer the same fate with equal impact, often because they do not have access to the same resources or funding as large corporations, even though large corporations often rely heavily on the services of such SMEs and trust them to safeguard their valuable assets and reputation. What can these smaller companies do to demonstrate the necessary assurance to the board and shareholders?
Exposure often extends beyond the breach itself. Additional exposure areas that ought to be factored in when measuring the true scale of the exposure include: substantial GDPR fines; litigation; unbudgeted costs; drop in share value; and loss of customer confidence. It becomes clear that the issue is perhaps more complex than simply securing the enterprise.
With plenty of solutions available and much work now being done, security still remains a substantial challenge. It is clear that it takes time to shape the culture of organizations and their supply chains to fully realize the risk and embrace the required investment in both time and resource.
This article will highlight the motivation needed for organizations to prepare for, and respond to, this clear and ever-present threat.
Get the board’s buy-in
Where does your organization sit on the maturity curve? In our experience a business will sit somewhere along a spectrum of these five key benchmarks:
* Uninformed Cybersecurity is not considered a threat.
* Negligent Cybersecurity is on the agenda, but you are unwilling to adequately invest in it.
* Compliant Cybersecurity is a recognized requirement but considered a distraction.
* Getting There. Cybersecurity has become a priority and proactive work is being done to improve the security culture at all levels and areas of the organization.
* Gold Standard. Cybersecurity is an established core value and subject to continuous monitoring and improvement
Getting to a point of resilience starts at the top. Be honest, transparent and realistic of where you are. Communication is a key responsibility for data security, which involves the whole organization — not just the IT department. Spread the importance of security throughout the organization. Integrate it with workflows and align it to business goals.
If not already doing so, report and discuss your findings with the board; provide examples of the threats and the impact to others, and present evidence of your risks and vulnerabilities. Provide a road map, have a response plan and forecast the resource and budget required.
Below are some of the items to consider in the various testing stages to assess how prepared your organization might be against a breach.
Most businesses invest in security to some point, but not always in the right areas. Choose the most important part of your business (i.e. focus on and secure your core business offering). One of the key areas where vulnerabilities are detected is after change management. For example, a business or operational process was changed but that change wasn’t tested post-implementation, resulting in a potential breach. New workflows, poor firewall management, and new working procedures for employees will all potentially change the threat scenario.
More likely than not you will save money in the long run by having an affordable pre-assessment by an independent company that will almost always detect something that you haven’t. You may already know there are areas to address and are not ready for a full assessment. Having a pre-assessment before your penetration test or Trusted Partner Network (TPN) assessment is sensible. It will help you prioritize what needs addressing and make you feel more comfortable. You will be able to remediate your non-conformances so that when you undertake the actual test or assessment, you are more likely to have a report for content owners that better reflects your organization’s commitment to security.
Google search is awash with penetration testing companies. Be cautious before committing! Understand what you are getting, what is really being tested and if the provider understands your business, workflows, and the M&E sector as well as your goals of the test. There is a misperception that an automated vulnerability scan is a penetration test. A true penetration test involves exploitation and requires proper planning, threat modeling and reconnaissance.
At Convergent, we use Targeted Framework Assessment (TFA), a methodology that helps you focus on your most critical assets and workflows. We employ certified highly skilled personnel with frontline cyber defense experience in M&E, military and banking to test robustness. Some companies ask why a penetration test is needed if they have invested heavily in security safeguards. Convergent advises its clients that external and internal penetration testing is the only way to validate that your security safeguards are effective, especially in an evolving threat landscape. The worst time to test your resilience is during an attack, so it is essential to be prepared.
Get help with complex remediation tasks, as this can be quicker and more thorough when you receive advice from someone who is knowledgeable of the latest technologies or methodologies. The most common remediation items we find are: lack of a dedicated content transfer network; incorrect workflow for the ingest / egest of client content; lack of third-party penetration tests performed annually; and uncontrolled internet access from production networks.
TPN security assessment
The industry is working more closely together on security now than ever before. TPN provides an industry benchmark for security assessments and standards for companies working in M&E. The TPN initiative — which is supported by the Motion Picture Association of America (MPAA), Content Delivery & Storage Association (CDSA), Alliance for Creativity & Entertainment (ACE) and their members — came together to establish a single framework to evaluate vendor security consistently and to avoid confusion within the vendor community.
The program is now gathering momentum with many vendors already beginning to participate, which affirms the importance of the TPN to the M&E community. There are many benefits for vendors that participate in the program. Undergoing a single assessment that is recognized by all of the participating content owners saves the vendor time and cost. Convergent is a huge supporter of the TPN and is expanding its team of skilled assessors to meet the worldwide demand for audit requests.