When the pandemic hit, publishers’ workforces went remote practically overnight. That sudden transition has left a lot of publishers’ tech infrastructures vulnerable to cybersecurity threats, along with employees working from home needing additional IT support.
“Every publisher needs to make security awareness a priority,” Dotdash’s CTO Nabil Ahmad said during the Digiday Publishing Summit this week. “Cyber criminals have been taking advantage of this abrupt shift to remote work and exploiting the security gaps caused by the transition.”
The average publisher likely receives hundreds of phishing emails a month, Ahmad said. Below is a look at how Dotdash, which owns advice and lifestyle brands like Investopedia, Verywell and Byrdie, made improvements to its tech infrastructure to protect its remote newsroom — and why other publishers need to be aware of any cybersecurity vulnerabilities.
For Dotdash, the transition to working from home was no big deal, according to Ahmad. The company already had a flexible work-from-home policy. Its editorial staff was mostly remote when the pandemic hit. The office’s network, however, was just as vulnerable as working from home or from a Starbucks, Ahmad said. The company had started using more SaaS solutions to work over cloud-based apps.
But it wasn’t a perfect shift to remote work. Dotdash’s Zoom accounts were tied to conference rooms, and overnight more than 400 employees required Zoom access for meetings. As the pandemic wore on, employees needed office amenities at home, including desks and chairs. IT support had largely been conducted in person pre-pandemic — now when an employee had an issue, they couldn’t just walk up to the tech desk for help. Even onboarding new employees had been an informal, in-person process at Dotdash.
But the biggest tech issue was cybersecurity threats, mainly from phishing attacks and employee mistakes (such as downloading malware by accident). “People are your biggest attack surface. That was true prior to the pandemic, and it’s true now,” Ahmad said. “At the end of the day, you really need to make sure that your employees are aware of the risks and threats that are being directed at them.”
Wi-Fi networks at home were often inadequately protected from cybersecurity threats, as were the personal devices that an increasing number of employees were working from.
Dotdash’s IT team got to work: they got each employee a Zoom account. Keyboards, mics, monitors and other office equipment were shipped to employees’ homes. IT support transitioned to Slack and Zendesk, and more screen-sharing products were adopted. IT staff started stocking and storing computer equipment at home to ship out to employees when needed. The onboarding process evolved to include more documentation for new hires, who were also assigned “buddies” to help them get acquainted with the company.
But hackers remained a threat. A hacker could pretend to be someone else at the company and target a new employee. “It’s hard to identify when those things are fraudulent if you’re sitting in a room by yourself,” Ahmad said.
Hackers can search on LinkedIn to find people to target, he said. They can also use software to scan a publisher’s tech infrastructure and find out what version of WordPress they are using or what vendors they are working with, and figure out if there are any security vulnerabilities there. “It’s cheap for them to scan and find your vulnerabilities,” Ahmad said.
Dotdash runs monthly phishing exercises on both employees and contractors so they know what to watch out for. The company sends out an internal monthly security awareness newsletter with security tips.
Every employee’s laptop should have software installed to detect viruses or irregularities, Ahmad said.
Publishers “should be running software to scan your infrastructure to make sure it’s secure and up to date,” Ahmad said. Every publisher should have a plan in place for a cybersecurity attack or breach. “Don’t put it off,” he added.
Hackers usually target publishers for two reasons: political motives, and data theft. That means political news publishers need to be extra wary. “Some [hackers] want to go after folks that have political views that are different from their own,” Ahmad said.
Hackers also might want publishers’ user data. “In a world where data is king and everyone is trying to collect data, having [user] data makes you a target,” Ahmad said.
Call your security team, if you have one, and then get your legal team and law enforcement involved, Ahmad said.
And keep careful watch over new products being developed and launched now, he said. That is where vulnerabilities will arise and present opportunities for hackers over the next six to 18 months.