Publishers Confront Security Challenges

When Hurricane Sandy hit New York City, sites like Gawker and the Huffington Post got knocked offline because their data centers were flooded. If media companies devoted more resources to CTO budgets for preventive measures like additional data centers, the sites may have stayed up.

Media tech departments are often ignored until problems like security attacks or disaster recovery arise, and then it’s up to them to fix the problem. Not putting resources into security threats — whether hacking attempts or disaster recovery — can hurt when a site becomes compromised. This is beyond a tech issue; it’s also a significant business issue. Already this year, the New York Times, Microsoft, Wall Street Journal, NBC and Facebook have each been hacked resulting in downtime for readers, but also for advertisers.

Digiday spoke with three CTOs at both legacy and new media publications. Each wanted anonymity so as to not invite any attacks to their sites.

“The problem is that there’s no revenue generated by increasing security,” said one CTO from a legacy publication. “It’s only a defensive measure.”

Building out strong security systems takes developers away from other projects and can take weeks or months of their time and not have a tangible delivery the rest of the company sees. When a site goes down, it’s tough to know what brought it down. It could be bugs, a DDoS attack or weather or power loss. It’s almost impossible to know. Remedies are expensive and take away time spent on forward movement.

For a dollar that goes into security, it’s one less dollar that goes into development. A developer focused on security is a developer not building out ad units that have immediate return.

“You can build a new feature, or you can lock the doors,” a source said. “You can’t have both.”

According to CTOs, the biggest security risk inside a media company is its employees. And in the case of the Los Angeles Times, a former employee who is accused of compromising the site after he allegedly gave a hacker from Anonymous a username and password to change an article. Last month, the New York Times, Wall Street Journal and Washington Post each announced they were hacked. Employee passwords were stolen.

Also in February,, including the sites for Jay Leno and Jimmy Fallon, was hit by a piece of malware sending users to malicious URLs with the intent to steal bank accounts and other personally identifiable information. Security threats don’t just take down sites, but can compromise a publisher’s audience.

Educating employees to not click on suspicious links and have pins for their smartphones and laptops are easy and effective measures to take.

With distributed-denial-of-service attacks rising in the media world, media companies are finding they’re lacking defensive measures. A DDoS attack is when a website is completely inundated with traffic requests that bogs down a server.

“It’s about how much insurance you want or need,” said one CTO. “When you play blackjack and the dealer shows an ace, you might buy insurance. You won’t with a four.”

The toughest thing for CTOs is selling something that doesn’t generate revenue. But one of the ways to get funding is to educate CEOs and CFOs of the importance of site security by explaining what the loss of business will be if a site gets attacked or goes down.

“If you calculate it that it’ll take whatever to come back, that loss of revenue is significant,” said a new media CTO. “That helps to justify revenue as long as you can quantify [the loss of business]. But sometimes, there’s a bit of a challenge to quantify.”

More in Media

The Trade Desk shuts advertisers’ access to Yahoo’s video content

The DSP cut open marketplace access to Yahoo’s video in an ongoing dispute over how inventory is represented.

Three strategies publishers are adopting to drive affiliate commerce revenue for Amazon Prime Day 2024

Publishers like Condé Nast, Gallery Media Group and She Knows are taking what they learned from last year’s Amazon Prime Day to shape their strategies this year in an effort to boost affiliate commerce revenue during the July shopping event.

Why the Tribeca Film Festival embraced AI movies with OpenAI and Runway

The 2024 festival brought new dialogue about generative AI, from AI-generated films to feature-length documentaries about AI’s risks and rewards.