3 media companies share strategies for managing cyber attacks
Conference Blog | 04 May 2022
Cyber attacks have become a threat to businesses around the world, and no industry is immune. During INMA’s Wednesday Webinar, Cyber Attacks on Newsrooms and Media Companies, cybersecurity experts from three European companies shared their experiences with cybersecurity threats and offered solutions to help publishers prepare for cyber attacks.
“The overall idea is to help you learn what to do — and what not to do — if and when an attack happens,” explained INMA Moderator Mark Challinor. Cyberattacks can be conducted for a variety of reasons, including being a way to extort money in exchange for missing data. That was the case with Amedia, Norway’s largest publisher, which received notification on December 28, 2021, that its network had been breached and all its data was encrypted.
Stein Damman was named the publisher’s director of security just one month before the attack and recalled his response when he learned of the incident: “It takes time for it to sink in. The consequences are unclear, and you’re not sure if it is ongoing. You’re completely in the dark.”
On that morning, Amedia became one of 2,700 companies victimised by cyberattacks in 2021. That number was up 92.7% from the number of attacks in 2020, and last month alone there were more than 170 incidents from the three largest groups responsible for conducting such attacks.
Holding data for ransom
The attackers in Amedia’s case used a RaaS model (Ransomware-as-a-service), which allows cyber attackers to purchase a package of customised tools to carry out their mission. It operates on the dark Web and bears a striking similarity to less nefarious online transactions: “It leaves a customised letter and if the victim follows the instructions, they’ll be directed to that same customer care center to get in touch with the attacker,” Damman said. “If they agree to pay, they’re given a key to get their data back.”
Typically, Damman said, those payments are split 80/20 between the attacker and the provider, respectively.
Amedia already had a policy in place and did not pay, because “paying criminals is supporting extortion.” And, Damman added, there’s no guarantee that companies that pay the ransom will get the data back. Even if they do, they’ll need to spend time and money to get the system up and running again.
Amedia had a backup system that allowed it to recover the data and the company was able to continue publishing digital editions; only the print edition was affected and Amedia coordinated with another publishing company to print its newspapers until it resumed operations.
One of the key elements of surviving a cyber attack is communication, Damman said: with the police, with employees, with customers, and with the public. Since there was a chance that customer information was compromised, the GDPR required Amedia to send letters to each employee and customer informing them of the situation.
“We gave general advice to employees and customers after the attack, and we got external assistance to monitor the dark Web,” Damman said. Based on that, it appeared that none of the data had been sold.
Amedia will likely never know who breached its system — or why. What it did learn was how fragile and vulnerable it was.
“Anyone can be affected,” Damman said, urging publishers to create a contingency plan and to be prepared to reach out for help. “Implementing good security does cost, but in today’s landscape, you have to have it.”
Known attackers, unknown reasons
Jose Galvao, IT director for Portugal’s Impresa, said his company also was victimised by cyber attackers. But in this case, the attackers were well-known. Impresa’s brand portfolio includes the country’s most-sold newspaper, SIC, as well as the country’s first video streaming platform, OPTO, and the e-sports/gaming platform ADNVCE. The company owns several properties, with platforms including sports, photography, women’s topics, leisure activities, and more. On January 2, 2022, Impresa joined a list of high-profile targets.
“Lapsus$ Group attacks big companies, and their modus operandi is really well known,” Galvao explained. “They try to explore known vulnerabilities. And sometimes they explore new techniques, including recruiting people inside companies to help them.”
Impresa detected the attack because the Web site was defaced. What was unusual in its case is that the company didn’t lose any relevant data, nobody asked for ransom, and there has been no evidence of data exfiltration. However, that didn’t protect Impresa from experiencing “chaos” as it worked to restore the system.
“We really don’t know their motivation,” Galvao said. “They made a massive destruction of our infrastructure and we were not prepared for that.”
He said ensuring business continuity was the most important thing for Impresa and shared questions for organisation leaders and IT/security teams to take into consideration now.
Companies should identify tech vulnerabilities to prevent attacks and should be prepared to react, respond, and recover data if it happens, Galvao said: “People ask us to be agile; it’s important to be agile and implement quickly, but we should be aware that we should not do shortcuts. We should always be aware and consider the risks in our implementation.”
Securing the infrastructure
Andreas Schneider, group chief information security officer at TX Group, which includes Switzerland-based Tamedia, wrapped up the Webinar with a look at how the organisation has built one of the most secure media companies in the world. Although it had no cybersecurity in 2015, that changed one year later when its free media platform 20minuten.ch — which reaches most readers in Switzerland — suffered a malware attack.
All visitors to the site were infected with malware, and that’s where the company’s cybersecurity journey began.
“It takes years to build up a real good security stack,” Schneider said. “But there are elements you can use to improve security.”
Some of the measures TX Group took included:
- Moving from Microsoft to Google’s G Suite. “Moving away from Microsoft got rid of 50% of the security problems, because most of the malware that is distributed is via work documents.” He said Microsoft Exchange is one of the most-attacked platforms.
- Moving to the cloud. Although this wasn’t done for security reasons, it is more secure: “If you do it correctly, you can do security better and at a much larger scale.”
- Creating a security strategy. “We call them resilience elements because it’s our goal … that every brand becomes resilient. If you’re resilient enough, you’ll survive most of the viruses out there. So we’ve tried training our companies to have good security, like a healthy immune system.”
- Implementing Endpoint Detection and Response (EDR) security. In Switzerland, 99% of companies attacked by ransomware do not have this protection. Since implementing EDR in 2019, attacks have decreased and last month there were zero security incidents.
- Implementing BeyondCorp. This is a set of principles that prevents any untrusted device or one without a second factor of identification from accessing the cloud. “It’s a trust architecture based on the Google BeyondCorp principles.”
But even more importantly, Schneider said, is that the company creates products with built-in security.
“Every feature that is developed, we think about what might go wrong, and then … put in security measures.”
It also uses cloud-native security tools: “There is no way around it. We protect every asset against attacks.”
As a final measure, the company developed a risk management tool to measure the resilience of each company and ensure that each one can ward off threats.