How publishers can prevent cyberattacks after Fast Company’s hack
A hacking scheme that hit Fast Company on Sept. 27 has kept the website dark for nearly a week as executives investigate. The event should be taken as a warning sign to other publishers to take cybersecurity seriously, three current and former heads of technology at media companies told Digiday.
“This could happen to anyone,” said Eli Dickinson, co-founder and CTO at Industry Dive. “We are all vulnerable.”
A “dedicated attacker” is difficult to defend against, said Dickinson, who oversees tech and security at the publication. All it takes is “to just trick one person.”
Suggestions of nefarious activity began last Tuesday, after Fast Company’s content management system was hacked and offensive push notifications were sent through Apple News. This came after an “apparently related” hack of Fast Company’s website on Sept. 25 which shut down the website for a few hours, according to a statement on its website. (Inc., Fast Company’s sister site owned by Mansueto Ventures, was also shut down as a precaution). As of Monday evening, both sites were still down.
Jordan Scoggins, former IT director at Quartz, said this should be a “wake-up call” to other publishers. “Too many companies don’t take security seriously enough until it’s too late,” he said.
In its statement, Fast Company said it has retained a global incident response and cybersecurity firm to investigate the security breach, though it did not name which firm. Fast Company has posted a few stories to Medium and LinkedIn in the meantime, but wouldn’t comment further.
When asked what security measures — if any — were in place at Fast Company at the time of the attack; a company spokesperson declined to comment.
- Multi-factor authentication
- “Zero trust”
- Security training
- Penetration tests
To prevent these types of attacks, Scoggins said, publishers should have a “multi-pronged approach” to cybersecurity that is “constantly assessed and evaluated and evolved over time.”
Here are some notable tactics, from conversations with current and former media company CTOs and IT directors.
Technology executives Digiday spoke with stressed the importance of multi-factor authentication. At its most basic, this process often requires an employee to log into the company’s website, get a text to their cell phone with a code and enter that code to get into the CMS, authenticating that employee’s identity.
Some companies use a hardware security key, which is essentially a thumb drive that an employee plugs into a computer to log into the website from a new device. This “rules out a whole category of attacks,” said Dickinson.
In terms of access, Dickinson said “the principle of least-privileged” can also help minimize the possibility of getting hacked: each employee has the least amount of access necessary to do their job. “Probably only very few people need to be able to send push alerts, for example,” he said.
A buzzy term in the world of cybersecurity is “zero trust.” This is the idea that “every person and every device has to authenticate every service individually,” Dickinson said. Services like iboss create an “edge” security platform — or firewall — where a user can’t get into a CMS unless they are using a device with that service installed, for example. Zero-trust services essentially whitelist certain VPNs or IP addresses. Christopher Park, CMO at iboss, likened it to a TSA security checkpoint at an airport.
Getting every employee to have a strong password is difficult, sources said. Multi-factor authentication and the principle of “zero trust” are tactics that can help prevent hacks, even if an employee has a weak password.
Companies should have security training for all employees, at least annually. This is often in the form of online classes, which walk employees through the dos and don’ts of cybersecurity, such as not clicking on suspicious links in an email and not sharing passwords. While described as “boring” and “annoying” by a few tech executives Digiday spoke with, these training sessions can help employees understand best practices, how to look out for phishing attacks and how to use more secure tools such as password management systems.
Publishers can pay an outside company to try to hack into their websites to find weaknesses in their cybersecurity measures. These services “test for holes” and should be done at least once a year, Scoggins said.
“With the pace of technology, environments change constantly… so it has to be constantly assessed,” he said.
The challenge: small teams, and remote work
Internal IT teams at media companies — especially smaller ones — are usually stretched thin. Few companies have dedicated CTOs or information security officers, or a team devoted to overseeing these responsibilities.
The shift to remote work has also made some companies more vulnerable to cybersecurity threats, with more employees using personal devices and unsecure home Wi-Fi networks.
“The way that data applications and users interact with other services has all changed. They used to be in data centers; they used to be in offices. Nowadays, with applications like [software-as-a-service] applications in the cloud and users being remote, those applications that people log into are now exposed to the public,” said Park.
If and when a security breach happens, there needs to be a plan in place to determine what to do next to minimize harm and recover, Dickinson said.
Media Briefing: What to expect at the Digiday Publishing Summit
As DPS draws nearer, top pain points for publishers are coming to light.
New app launches through Apple hoping to win with ‘zero-party data’ when others haven’t
Caden's new app lets users connect data from their Uber, Amazon, Netflix and other accounts in exchange for money. Will it take off?
‘The next level for us’: The New York Times eyes better retention for games in subscription drive
The games division is focusing on finding new ways to mine the inherent competitive nature of games like encouraging people to play multiple games in a single session or through new achievements and rewards for progression.
SponsoredIn a cookieless world, publishers are embracing new approaches to personalized UX
Asaf Shamly, CEO and co-founder, Browsi With user experience at the forefront of many publishers’ minds, the eventual deprecation of third-party cookies is bound to wreak havoc for those who haven’t quite figured out how to adjust their ad model to the coming change. The problem is well defined at this point: They can’t afford, […]
In graphic detail: Publishers’ full year 2022 earnings
Looking back at 2022, the hits to publishers' revenue were partially staunched, but by the end of the year nearly all areas of the business felt the impact of the economic downturn.
‘It has to be built in’: How agencies strive to advance their diversity goals
There often is no blueprint for diversity in the corporate world, and many initiatives at media agencies have been works in progress over the last few years.