The percentage of media companies susceptible to compromise is double the figure across all other sectors, according to a new study from BlueVoyant.
The security vendor used its tools to perform a cybersecurity posture analysis on 485 organizations from the media industry to compile its Media Industry Cybersecurity Challenges report.
It found that 30% of those analyzed are exposed to compromise via vulnerabilities in their internet-facing, publicly accessible footprints. Exploitation of these vulnerabilities could lead to content theft and/or operational disruption.
However, prompt patching remains a challenge: 60% of identified vulnerable systems were still unprotected six weeks after a patch had been issued, BlueVoyant said.
Part of the challenge for the sector is the complexity of the supply chain, which might incorporate a wide variety of vendors, service providers, partners and technologies to move a creative idea from concept to camera to consumer, the report claimed.
“The digital supply chain is a common attack vector not only for the media, but all industries,” argued Dan Vasile, BlueVoyant vice president of strategic development and former vice president of information security at Paramount.
“In order to improve their cyber-defense posture, media companies should continuously monitor their extended vendor ecosystem, using analysis to prioritize mitigation of the most critical findings.”
Half of the top vendors providing content management solutions to the media industry were found to have vulnerabilities in their products, according to the report.
To enhance supply-chain security, BlueVoyant recommended media companies:
- Identify and prioritize vendors, focusing on their criticality to content creation and delivery, and access to critical systems
- Continuously monitor the supply chain using contextual analysis to prioritize serious vulnerabilities. Questionnaires and point-in-time scans are no longer sufficient
- Use platforms to proactively track how critical vendors are addressing externally visible vulnerabilities and misconfigurations and work with them to minimize attack-surface risk