When Roger Cressey, a go-to counter-terrorism analyst for NBC and former advisor to President Obama, looks at the state of cybersecurity in media and entertainment, he sees a good news, bad news situation.
“The good news is, your industry is more aware than it’s ever been before,” he said July 25 during a keynote presentation — “Managing Cyber Risk in an Interconnected Workplace is Everyone’s Responsibility” — at the Content Protection Summit East event, part of the Media & Entertainment (M&E) Day conference. “The bad news is you still have a way to go … to bring in the security culture in every element of how you do your business.”
Cressey explained how modern cybersecurity requirements extend beyond traditional IT networks, and need to focus on individual approaches, along with a comprehensive corporate strategy and structure. For media and entertainment specifically, the move to native digital workflows is resulting in interdependencies between networks, devices and users.
His presentation offered thoughts as to why the threat environment is only one part of the equation, and how technology isn’t enough to stop cyberattacks.
“Whatever the cool tech is, it doesn’t absolve you individuals of your responsibility and accountability when it comes to cybersecurity,” Cressey said. There’s an “arms bazaar” of attack tools available for criminals today, and hackers are a community of people who learn from each other, share information, and look at what each other is doing to change their tactics.
“And I guarantee you they are looking at your industry right now for the opportunities they can exploit using this tools, some of which are nation-state level, that you do not have the technical tools to deal with,” he added.
It means the individual — not tech — is the most crucial point of stopping a cyberattack against his or her organization. Because cyber attackers will keep tabs on your network for months on end, looking for vulnerabilities, Cressey said. That needs a human approach to preventing and responding. “It tells you, if they’re really interested in what you’re doing, they’re going to watch, learn and listen, and wait for the right time to [go after] your IP, or worse, destroy the data you have,” he said.
“Your technology can be world class, but if your people aren’t trained, and if your processes stink or are non-existent, that technology will not save you,” Cressey said. That’s a message C-suite executives need to understand. Understand all of your attack surfaces — your email, your mobile devices — is part of the approach, but so too is looking outside your immediate organization.
“You should be telling your bosses: ‘What should we be doing about our outside vendors? What security requirements are we ensuring that they put in place? And what happens if they don’t? How do we hold them accountable and responsible?’” Cressey said.
And Cressey offered a reminder that should be gospel among every employee today: “It’s not a question of if but when your network will be penetrated. Your network will be penetrated,” he said. “If there’s a determined adversary with the right capabilities, commitment and talent, they’ll get in. All you can do is minimize the impact of [the breach].”
Prioritize what’s most important, and realize that everyone in the organization has a role to play in both preventing and minimizing the impacts of a cyberattack, Cressey said.
The 2018 M&E Day, which also included Smart Content Summit East conference tracks, was produced by MESA, in association with the Content Delivery & Security Association (CDSA), the Hollywood IT Society (HITS) and the Smart Content Council, and was presented by Microsoft, with sponsorship by Akamai, BTI Studios, Independent Security Evaluators, LiveTiles, MarkLogic, RSG Media, ThinkAnalytics, Amazon Web Services, EIDR, the Trusted Partner Network (TPN) and Richey May Technology Solutions.
Click here to download audio of the presentation.