Publishers Confront Security Challenges

When Hurricane Sandy hit New York City, sites like Gawker and the Huffington Post got knocked offline because their data centers were flooded. If media companies devoted more resources to CTO budgets for preventive measures like additional data centers, the sites may have stayed up.

Media tech departments are often ignored until problems like security attacks or disaster recovery arise, and then it’s up to them to fix the problem. Not putting resources into security threats — whether hacking attempts or disaster recovery — can hurt when a site becomes compromised. This is beyond a tech issue; it’s also a significant business issue. Already this year, the New York Times, Microsoft, Wall Street Journal, NBC and Facebook have each been hacked resulting in downtime for readers, but also for advertisers.

Digiday spoke with three CTOs at both legacy and new media publications. Each wanted anonymity so as to not invite any attacks to their sites.

“The problem is that there’s no revenue generated by increasing security,” said one CTO from a legacy publication. “It’s only a defensive measure.”

Building out strong security systems takes developers away from other projects and can take weeks or months of their time and not have a tangible delivery the rest of the company sees. When a site goes down, it’s tough to know what brought it down. It could be bugs, a DDoS attack or weather or power loss. It’s almost impossible to know. Remedies are expensive and take away time spent on forward movement.

For a dollar that goes into security, it’s one less dollar that goes into development. A developer focused on security is a developer not building out ad units that have immediate return.

“You can build a new feature, or you can lock the doors,” a source said. “You can’t have both.”

According to CTOs, the biggest security risk inside a media company is its employees. And in the case of the Los Angeles Times, a former employee who is accused of compromising the site after he allegedly gave a hacker from Anonymous a username and password to change an article. Last month, the New York Times, Wall Street Journal and Washington Post each announced they were hacked. Employee passwords were stolen.

Also in February, NBC.com, including the sites for Jay Leno and Jimmy Fallon, was hit by a piece of malware sending users to malicious URLs with the intent to steal bank accounts and other personally identifiable information. Security threats don’t just take down sites, but can compromise a publisher’s audience.

Educating employees to not click on suspicious links and have pins for their smartphones and laptops are easy and effective measures to take.

With distributed-denial-of-service attacks rising in the media world, media companies are finding they’re lacking defensive measures. A DDoS attack is when a website is completely inundated with traffic requests that bogs down a server.

“It’s about how much insurance you want or need,” said one CTO. “When you play blackjack and the dealer shows an ace, you might buy insurance. You won’t with a four.”

The toughest thing for CTOs is selling something that doesn’t generate revenue. But one of the ways to get funding is to educate CEOs and CFOs of the importance of site security by explaining what the loss of business will be if a site gets attacked or goes down.

“If you calculate it that it’ll take whatever to come back, that loss of revenue is significant,” said a new media CTO. “That helps to justify revenue as long as you can quantify [the loss of business]. But sometimes, there’s a bit of a challenge to quantify.”