Growing a media empire is no easy task, especially when companies are plagued by layoffs, budget shortfalls and a rapidly changing media landscape. But one particular global media group has not only succeeded in this challenging climate – it has thrived.
This group (let’s call it Company M for media) publishes a leading news magazine and recently has been growing through a series of acquisitions. That’s great news. But with success often comes challenge: In this case, managing the growth and all the newly acquired assets properly.
Security threats are constantly changing and evolving, and testing a system using current penetration methods ensures that what’s put in place is working under real-life conditions.
Because Company M brought several other companies under its roof, it found itself in the position of having to deal with several different types of computer systems that operated on a variety of platforms, and with a disconcerting number of applications – each with a different level of security built into it. To complicate matters, many of the IT assets were geographically spread out. Complexity may be good when it comes to fine wine. Not so much when it comes to IT security.
Fortunately, Company M had a proactive IT department that did not count on luck alone. It sought to take action before all those potentially clashing systems caused any real-world problems. It decided to test and analyze all systems, old and new, identify the potential problems, and devise solutions for them.
The first step the company needed to undertake was a full-scale analysis of its payment systems – a regulatory matter that could not be postponed. In industry lingo, Company M needed a Payment Card Industry Data Security Standard (PCI DSS) gap analysis conducted.
To make sure things went right, the company brought in security experts from Protiviti to assist the IT department with a holistic risk assessment of the group’s systems. This consisted of performing automated network scans, followed by manual testing for vulnerabilities and verification of the issues found.
Protiviti’s security team did not just test and point to problems. They also spoke directly with system administrators, system owners and developers throughout Company M’s IT empire to really get the picture “on the ground” and find out where additional gaps might be present.
Finally, to ensure that the analysis was thorough, a Protiviti team of “ethical hackers” was brought in and charged with doing their best to access a system perceived to be otherwise secure. The goal was to discover (and fix) flaws that real hackers might exploit.
This simulated hacking was an essential part of Protiviti’s work at Company M: Security threats are constantly evolving, and testing a system using current penetration methods ensures that what’s put in place is working under real-life conditions.
The “hackers” were asked to break through the internal and external walls of the IT infrastructure, as well as the physical premises of the company’s locations, to test the strength of its defenses. The result was a list of discovered vulnerabilities, which were then prioritized for remediation based not only on the regulatory security requirements, but on the company’s own risk aversion level.
Digging into the IT systems paid off for Company M. It discovered a number of weaknesses on its public systems and chose to fix most of them immediately. This enabled it to meet its compliance obligations, as well as avoid pending fines from an acquiring bank.
Following these immediate steps, Protiviti helped the company implement a comprehensive vulnerability management program and make significant improvements to its software development lifecycle and service provider management practices – steps resulting directly from its improved understanding of Internet security risks and exposures gained through the hacking exercise.
For many media companies today, growing bigger is a necessity in order to survive. Making sure to discover and fix weaknesses to also grow stronger – as Company M did – is proof of foresight and confidence. It may not guarantee that a company will never be on the IT breach roll call, but it will make that possibility much, much smaller.