FEED Autumn 2021 Newsletter

Chris Wood Spicy Mango Chief technology officer

What are the biggest cybersecurity threats now?

Regarding media and the vertical we operate in, the ecosystem is evolving at a rapid pace. Changes to processes and organisations, such as the introduction of Agile and DevOps, mean more people are now touching more of the ecosystem than they would have in the past. Traditional software engineers are learning cloud infrastructure – servers, databases, storage and the like, but without the years of domain knowledge that more traditional operating models used to have. What does that mean? I’d argue the biggest threats to cybersecurity are internal teams that don’t always have the expertise to harden and secure everything they build and deploy. We spend a lot of time clearing up carnage left by internal processes that didn’t account for security properly. How well-informed are your customers on cybersecurity issues? It’s becoming more common. I think people are increasingly aware, and the driver of privacy and data protection from the fallout of Facebook is one of the reasons. The mainstream press are now on a heightened alert to cybersecurity – so incidents don’t get swept under the public rug any more. However, I’d question how it impacted people’s approaches practically. Who is in charge of cybersecurity in your organisation? I have the overall responsibility as the CTO – but the whole team is proactive. We peer review everything we do internally, and software engineering processes and deployments follow an architecture and design set by individuals with years of infra expertise in media. We work closely with our clients’ information security teams and external organisations to validate what we are doing. What best practices do you have in place to defend yourself? Media and OTT is a little ahead of the curve. We’ve been operating direct-to-consumer services for a long time. We use the standard security tools from CDN providers like Web Application Firewall (WAF), meaning we can be

targeted with rules to allow and deny traffic that meets specific profiles. APIs and endpoints in platforms are fronted by WAF, but are also tested rigorously against attacks like script injection. The world is also much more aware of two-factor authentication now – so, as a consumer, it’s not as daunting to be sent a one-time password to authenticate and log into services. Historically, this was a huge point of friction in the user journey. Have you had any personal experience of a cyberattack? Very much so. We’ve been very lucky – or you could argue thorough – that we’ve never had a data breach or loss of service. But the most typical attacks are DDoS – script kiddies writing bots to make hundreds of thousands of requests per second to a load balancer or CDN. We use WAF in every external service, and auto- scaling groups in cloud architectures, but with WAF providers charging per rule and often per request, it may not be damaging – but can be financially expensive. What is the scariest cybersecurity story you’ve ever heard? Hard to say. Any incident can be terrifying if you’re on the receiving end. Scenarios and stories involving payments and finance are usually the most worrying – especially as most banks and financial institutions are actively trying to offload the responsibility now. But I’d say that phishing attempts are the most worrying – vulnerable users actively handing over data that the banks will no longer cover, since it’s ‘voluntary.’ WE’VE BEEN OPERATING DIRECT-TO-CONSUMER SERVICES FOR A LONG TIME

@feedzinesocial

Powered by