A hacking scheme that hit Fast Company on September 27 kept the website dark for nearly a week as executives investigated. The event should be taken as a wake-up call to other publishers to take cybersecurity seriously, three current and former chief technology officers at media companies told Digiday.
“It could happen to anyone,” said Eli Dickinson, co-founder and CTO at Industry Dive. “We are all vulnerable.”
A “dedicated attacker” is hard to defend, said Dickinson, who oversees the publication’s technology and security. All it takes is “just fooling one person”.
Suggestions of harmful activity began last Tuesday, after Fast Company’s content management system was hacked and offensive push notifications were sent through Apple News. This came after an “apparently related” hack of Fast Company’s website on September 25 that shut down the website for a few hours, according to a statement on its website. (Inc., Fast Company’s sister site owned by Mansueto Ventures, was also shut down as a precaution). Monday night, both sites were still down.
Jordan Scoggins, former IT director of Quartz, said this should be a “red flag” for other publishers. “Too many companies don’t take security seriously enough until it’s too late,” he said.
In its statement, Fast Company said it retained the services of a global incident response and cybersecurity company to investigate the security breach, although it did not name which company. Fast Company posted a few stories on Medium and LinkedIn in the meantime, but wouldn’t comment further.
When asked what security measures – if any – were in place at Fast Company at the time of the attack; a company spokesperson declined to comment.
To prevent these types of attacks, Scoggins said, publishers should have a “multi-pronged approach” to cybersecurity that is “constantly assessed, evaluated and evolved over time.”
Here are some notable tactics, culled from conversations with current and former CTOs and CIOs of media companies.
CTOs Digiday spoke to emphasized the importance of multi-factor authentication. In its most basic form, this process often requires an employee to log into the company’s website, receive a text message on their cell phone with a code, and enter that code to access the CMS, authenticating the identity of that employee.
Some companies use a hardware dongle, which is basically a USB stick that an employee plugs into a computer to log into the website from a new device. This “excludes a whole class of attacks,” Dickinson said.
In terms of access, Dickinson said “the principle of least privilege” can also help minimize the possibility of being hacked: each employee has the least amount of access necessary to do their job. “Probably very few people need to be able to send push alerts, for example,” he said.
A buzzword in the world of cybersecurity is “zero trust”. It’s the idea that “every person and device must authenticate each service individually,” Dickinson said. Services like iboss create an “edge” security platform – or firewall – where a user cannot access a CMS unless they are using a device that has that service installed, for example. Zero-trust services essentially whitelist certain VPNs or IP addresses. Christopher Park, CMO at iboss, likened it to a TSA security checkpoint at an airport.
Ensuring that every employee has a strong password is difficult, sources said. Multi-factor authentication and the principle of “zero trust” are tactics that can help prevent hacks, even if an employee has a weak password.
Companies should have safety training for all employees, at least once a year. This often takes the form of online courses, which teach employees the do’s and don’ts of cybersecurity, such as not clicking on suspicious links in an email and not sharing passwords. Although described as “boring” and “boring” by a few tech leads Digiday spoke to, these training sessions can help employees understand best practices, monitor phishing attacks, and use more secure tools. such as password management systems.
Publishers can pay an outside company to try to hack their websites to find weaknesses in their cybersecurity measures. These services “test the holes” and should be done at least once a year, Scoggins said.
“With the pace of technology, environments are constantly changing…so it has to be constantly evaluated,” he said.
The Challenge: Small Teams and Remote Work
In-house IT teams at media companies, especially smaller ones, are typically stretched. Few companies have dedicated CTOs or information security officers, or a team dedicated to overseeing these responsibilities.
The shift to remote working has also made some businesses more vulnerable to cybersecurity threats, with more employees using personal devices and unsecured home Wi-Fi networks.
“The way data applications and users interact with other services has completely changed. Previously, they were in data centers; they were in the offices. Nowadays, with apps like [software-as-a-service] with apps in the cloud and users being remote, the apps people log into are now exposed to the public,” Park said.
If and when a security breach occurs, there must be a plan in place to determine what to do next to minimize damage and recover, Dickinson said.