Cybersecurity Woes, Lax Patching Puts Media Companies At Risk
The secure production, distribution and management of media is being threatened by a complex, fragmented third-party ecosystem leaving the media industry exposed to potential cybersecurity threats, a survey by BlueVoyant found.
The report revealed 30% of media vendors are susceptible to compromise via vulnerabilities discovered in their internet-facing publicly accessible footprints. The percentage of media vendors susceptible to compromise is double that of a multi-industry benchmark composed of all the companies BlueVoyant monitors.Â
CMS Vulnerabilities
Fully half of the top media vendors providing content management solutions (CMSes) have potentially compromising vulnerabilities and timely patching was also a significant issue, the survey found. A full 60% of identified vulnerable systems are still unprotected six weeks after a patch has been issued.
“As a result of the vulnerabilities we found, media companies may be vulnerable to cyberattacks, including ransomware and operational disruption,” said Joel Molinoff, vice chairman at BlueVoyant. “The critical vulnerabilities we found are known to be exploitable by malicious actors, so the threats are very real. These vulnerabilities may also lead to content leaks.”
He pointed out that pre-release content is often shared with supporting vendors as part of the production process, and if one of these vendors gets compromised, content may get leaked before its planned release.
“The media industry relies on vendors for content production and to release new content to consumers,” Molinoff explained. “In general, as companies’ internal networks become more well-defended, often a third party, like a vendor or supplier, is the weak link. Many media companies have hundreds if not thousands of vendors, so monitoring them is a challenge.”Â
In addition, the majority of the media industry’s vendors are relatively small companies that don’t have the appropriate budget for cybersecurity nor the necessary focus to address cybersecurity risks.
Cybersecurity Isn’t Media’s Priority
He added that another challenge for the industry is its dependency on legacy systems.
“Media value chains were developed a long time ago and are dependent on the underlying technologies,” he said. “Adoption of new, more secure technologies is slow because of the cost and potential disruption.”
Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cybersecurity risk remediation, said cybersecurity is not the first priority in a lot of industries, including media.
“Many organizations rely on an extensive ecosystem to do business, and media companies are no exception,” he said. “Given the wide variety of features found on media sites, often developed by third parties, it’s no surprise that there is a challenge keeping them secure.”
From Parkin’s perspective, media companies, like any organization, need to hold their third-party vendors and suppliers to a higher standard to make sure they are providing services that are properly secured and are securing their own environments.
They also need to get a handle on their own environments and make sure they have the tools and skills to keep their own house in order. He pointed out media organizations can be wildly varied and often have a lot of moving pieces with competing priorities for access versus security.
“There may be many supporting vendors with many touch points for customers, creators and the general public,” he said. “Unfortunately, for many of these organizations, cybersecurity teams are understaffed and under-resourced.”
Molinoff said with respect to vendor risk management, the most important things to do are identify and categorize vendors based on the potential cybersecurity risk that they can introduce to the organization.
In addition, the industry as a whole should continuously monitor the cybersecurity posture of its vendors and the digital interactions and/or data shared with them.
Finally, media companies should help their vendors mitigate critical risks that could impact them.
“Critical vulnerabilities are often exploited within minutes once proof-of-concept code is available publicly,” he added.Â
Bud Broomhead, CEO at Viakoo, a provider of automated IoT cybersecurity hygiene, pointed out that media organizations are a treasure trove of valuable data, and can also act as a launching pad for attacks.
“Specialized equipment used in media production is a form of IoT, and traditional IT security solutions may not prevent or remediate cyberattacks against them,” he said. “This means even tasks like keeping firmware up-to-date or rotating passwords requires manual effort unless a dedicated IoT security platform is used to automate those tasks.”
He said content management systems offer threat actors a platform designed for sharing and distribution (i.e., carrying malicious payloads) as well as the ability to access, manipulate and modify data.
Broomhead added that because of the high value of media content and how it is designed to be shared and distributed, threat actors will always look to exploit vulnerabilities through media organizations and content management systems.Â
“Expect to see more use of exfiltrated media data for creating deepfakes and use of media content in thwarting biometric security,” he warned. “Because media organizations use high-performance computing, threat actors are likely to harness that compute power broadly in staging more extensive and compute-intensive attacks.”
