How publishers can prevent cyberattacks after Fast Company’s hack
A hacking scheme that hit Fast Company on Sept. 27 has kept the website dark for nearly a week as executives investigate. The event should be taken as a warning sign to other publishers to take cybersecurity seriously, three current and former heads of technology at media companies told Digiday.
“This could happen to anyone,” said Eli Dickinson, co-founder and CTO at Industry Dive. “We are all vulnerable.”
A “dedicated attacker” is difficult to defend against, said Dickinson, who oversees tech and security at the publication. All it takes is “to just trick one person.”
Suggestions of nefarious activity began last Tuesday, after Fast Company’s content management system was hacked and offensive push notifications were sent through Apple News. This came after an “apparently related” hack of Fast Company’s website on Sept. 25 which shut down the website for a few hours, according to a statement on its website. (Inc., Fast Company’s sister site owned by Mansueto Ventures, was also shut down as a precaution). As of Monday evening, both sites were still down.
Jordan Scoggins, former IT director at Quartz, said this should be a “wake-up call” to other publishers. “Too many companies don’t take security seriously enough until it’s too late,” he said.
In its statement, Fast Company said it has retained a global incident response and cybersecurity firm to investigate the security breach, though it did not name which firm. Fast Company has posted a few stories to Medium and LinkedIn in the meantime, but wouldn’t comment further.
When asked what security measures — if any — were in place at Fast Company at the time of the attack; a company spokesperson declined to comment.
To prevent these types of attacks, Scoggins said, publishers should have a “multi-pronged approach” to cybersecurity that is “constantly assessed and evaluated and evolved over time.”
Here are some notable tactics, from conversations with current and former media company CTOs and IT directors.
Technology executives Digiday spoke with stressed the importance of multi-factor authentication. At its most basic, this process often requires an employee to log into the company’s website, get a text to their cell phone with a code and enter that code to get into the CMS, authenticating that employee’s identity.
Some companies use a hardware security key, which is essentially a thumb drive that an employee plugs into a computer to log into the website from a new device. This “rules out a whole category of attacks,” said Dickinson.
In terms of access, Dickinson said “the principle of least-privileged” can also help minimize the possibility of getting hacked: each employee has the least amount of access necessary to do their job. “Probably only very few people need to be able to send push alerts, for example,” he said.
A buzzy term in the world of cybersecurity is “zero trust.” This is the idea that “every person and every device has to authenticate every service individually,” Dickinson said. Services like iboss create an “edge” security platform — or firewall — where a user can’t get into a CMS unless they are using a device with that service installed, for example. Zero-trust services essentially whitelist certain VPNs or IP addresses. Christopher Park, CMO at iboss, likened it to a TSA security checkpoint at an airport.
Getting every employee to have a strong password is difficult, sources said. Multi-factor authentication and the principle of “zero trust” are tactics that can help prevent hacks, even if an employee has a weak password.
Companies should have security training for all employees, at least annually. This is often in the form of online classes, which walk employees through the dos and don’ts of cybersecurity, such as not clicking on suspicious links in an email and not sharing passwords. While described as “boring” and “annoying” by a few tech executives Digiday spoke with, these training sessions can help employees understand best practices, how to look out for phishing attacks and how to use more secure tools such as password management systems.
Publishers can pay an outside company to try to hack into their websites to find weaknesses in their cybersecurity measures. These services “test for holes” and should be done at least once a year, Scoggins said.
“With the pace of technology, environments change constantly… so it has to be constantly assessed,” he said.
The challenge: small teams, and remote work
Internal IT teams at media companies — especially smaller ones — are usually stretched thin. Few companies have dedicated CTOs or information security officers, or a team devoted to overseeing these responsibilities.
The shift to remote work has also made some companies more vulnerable to cybersecurity threats, with more employees using personal devices and unsecure home Wi-Fi networks.
“The way that data applications and users interact with other services has all changed. They used to be in data centers; they used to be in offices. Nowadays, with applications like [software-as-a-service] applications in the cloud and users being remote, those applications that people log into are now exposed to the public,” said Park.
If and when a security breach happens, there needs to be a plan in place to determine what to do next to minimize harm and recover, Dickinson said.
More in Media
Adalytics Research asks, ‘Are YouTube advertisers inadvertently harvesting data from millions of children?’
Publishers’ Q2 earnings reveal digital advertising is still in a tight spot, but digital subscriptions are picking up steam.
Experts reflect how the failures of social media and online advertising can help the industry improve the next era of innovation.
Ad position: web_bfu