When FastCompany's website was hacked late Tuesday night, it sent shockwaves through the media world, underscoring the importance of routine cybersecurity inspections for media companies. Now, in the wake of the prominent hack, media companies are scrambling to secure their content management systems.
So, what happened and how?
Well, the hacker (who went by the name "postpixel") managed to infiltrate FastCompany’s content management system (CMS) and post stories that looked like they were from FC’s editorial team. They also hijacked FastCompany's Apple News feed (a first), broadcasting obscene push notifications replete with racial slurs and, uh, an “invitation for a particular sexual act,” according to
In a statement, FastCompany responded with the following:
“The messages are vile and are not in line with the content and ethos of FastCompany. We are investigating the situation and have shut down fastcompany.com until the situation has been resolved.”
As of this writing, Fast Company was still offline.
Source: FastCompany
In a warning of sorts, the hacker also left a message to FastCompany’s readers, detailing their execution of the hack while criticizing FC’s feeble attempts at security remediation:
Source: FastCompany via The Verge
According to “postpixel,” they were able to gain access to FastCompany's systems by exploiting an insecure password shared by an FC site administrator. They also claimed to have traded FC’s data in a forum for black-hat hackers, including sharing records on FastCompany employees and even sharing unpublished FastCompany articles.
This may be headline news today, but this is just the latest hack in a string of cyberattacks on media companies. In recent months, both The New York Times and The Wall Street Journal have reported that their systems had been compromised by hackers. You can bet that there will soon be a new headline to replace FastCompany.
The bottom line: These incidents serve as a reminder that media companies need to take steps to secure their data and protect their employees.
Most of all…
In the wake of high-profile hacks at major media companies like Fast Company, it's clear that traditional approaches to cybersecurity are no longer enough. One of the most important things companies can do to protect themselves is to implement stronger internal security models.
The shocking conclusion tech and media companies are just now coming to terms with is that people are the weakest links in security. As a result, they’re taking a firm “trust no one” stance.
The security buzzword for this is “Zero Trust,” which simply assumes that a company can be breached no matter what, including by its own unwitting users. The un-named FastCompany “administrator,” for instance, shared passwords inside the firm.
With zero trust, every user and every device is treated as a potential threat. This means that all traffic must be authenticated and authorized, regardless of where it's coming from. What’s more, a core component in a proper zero-trust environment is behavioral analysis. In a nutshell, your software should monitor network behavior and flag suspicious activity. This makes it much harder for hackers to gain access to a company's network because they would need to have valid credentials each step of the way.
Zero trust also includes comprehensive vulnerability management. This means regularly scanning for vulnerabilities and patching them as soon as possible. Behind the scenes, I’d wager that FastCompany is arguing over how to best implement new security measures and protect itself from future attacks.
But creating a new security architecture is no easy task, especially for a major media company. For FastCompany, it will likely involve completely gutting its current system and renovating it from top to bottom. That will require education and buy-in from FastCompany’s senior leadership, middle management, and even its freelancers.
We have some advice, if you’re listening, FastCompany…
Every journey begins with a single step. For FastCompany, one of the most important things it (and other media companies) can do is to regularly inspect their cybersecurity protocols and make sure they are up to date. This includes ensuring that passwords are strong and, ahem, not openly shared and/or reused across multiple accounts.
While it may seem like I’m picking on FastCompany, it’s just one example – this type of attack could happen to any media outlet. In order to protect themselves, media companies need to make sure they have a robust vulnerability management program in place.
Vulnerability management is all about identifying, prioritizing, and fixing security flaws within an organization's systems. If a media company doesn't have a good handle on its vulnerabilities, it’s leaving itself wide open to attack.
There are a few key things that all media companies should do to shore up their defenses:
In today's world, it's not enough to simply have strong security measures in place.
Organizations also need to constantly monitor their systems for vulnerabilities that could be exploited by hackers.
In the wake of the FastCompany hack, it's also important for media companies to consider how they share information internally. In many cases, it may be necessary to restrict access to certain sensitive data or conversations to a smaller group of people.
By taking proactive measures to address vulnerabilities, media companies like FastCompany can dramatically reduce their chances of being hacked and safeguard their content from being hijacked by malicious actors.
Also published here