A broadcaster’s cyber strategy needs to be robust when faced with challenges such as cybercrime, GDPR and data protection concerns, as well as state-sponsored hacking attacks, but Channel 4’s Brian Brackenborough appears to have most of the bases covered.
A growing awareness of cybercrime, a data harvesting scandal and the introduction of the EU’s GDPR legislation in May have all served to shine a light on the work of broadcast’s data protection and InfoSec specialists.
“It’s refreshing to see staff really engage with these issues and come to us and ask how they should store information or how they should encrypt it,” says Brian Brackenborough, Channel 4’s chief information security officer.
Much of Brackenborough’s recent focus has been on liaising with the UK commercial pubcaster’s legal teams and data specialists to ensure C4 was ready for the introduction of the EU’s new data protection laws (General Data Protection Regulation).
“C4 has a very strong legal team, and it has always kept viewer data for All 4 well protected, but what GDPR has done is bring this to the forefront of people’s minds and allowed us to demonstrate the security we’ve put in place,” he says.
The security officer, who was head of information security at the BBC before joining C4 six years ago, adds that because the broadcaster is relatively small in size, with around 850 staff, it’s been possible to conduct many briefings face to face.
But it’s the minute that cybersecurity becomes relevant to the individual that it elicits the most engagement.
“I can talk to someone for an hour about reasons why you shouldn’t share passwords – but the minute they realise that a hacker at work can access bank details and pension information, or once I start talking about their own devices at home and how they can install free anti-virus software that’s when they tend to take note,” he says.
Brackenborough adds that external factors such as growing GDPR awareness and the Cambridge Analytica/Facebook data harvesting scandal, have also led to a considered use of social media.
“The fact that we’ve seen a number of data breaches occur on social platforms has meant that people are also starting to realise – if the service is free, then it’s you that’s the product.”
While there are certain basic ground rules for staff – such as multifactor authentication and codes for all mobiles where staff can access their company email, generally the message to staff is: “explain what you need to do, and we’ll find a solution that works.”
This is what an effective cyber strategy looks like, he explains, “examining a company’s business strategy and aligning it to that.”
In entertainment terms this has involved advising the magician Troy’s team on a magic trick that involved broadcasting elements of participants’ personal details.
“C4 definitely became more visible to the world since the Paralympics and its risk of state-sponsored attacks has subsequently increased”
In areas such as News and the broadcaster’s award-winning current affairs strand Dispatches this might involve liaising closely with journalists who are working on sensitive stories that are likely to upset certain nations.
“State-sponsored attacks are becoming far more common now so it’s good to know when an attack is likely to happen and where it might be coming from,” he says.
However, it was C4’s award winning coverage of the Paralympics - which the company has broadcast since first winning the rights for London 2012 - that first pushed the issue of cybersecurity to the top of the broadcaster’s agenda.
“C4 definitely became more visible to the world since the Paralympics and its risk of state-sponsored attacks has subsequently increased,” he says.
While Brackenborough says that C4 has “never knowingly” experienced a data breach, there has been one low-level state sponsored attack.
“A blog on the C4 news website about Syria was hacked – the Syrian electronic army had a good try – we took a decision to shut the blog down for a number of days rather than try to fight with them. And we’ve learned from that,” he says.
Brackenborough describes a consultative relationship with senior management, who, shaken by attacks on organisations like Sony and TV5, are only too keen to work with him to devise C-tech strategies.
He admits that interest in InfoSec does tend to go in peaks and troughs however, so has he ever found himself having to demonstrate ROI in cybersecurity; or having to fight to increase the budget in relation to the growing severity of threats that have emerged in recent years?
“It’s interesting, some experts would argue that the more money you throw at cybersecurity the less is going to happen,” he says.
“At the moment budgets have been helped with everything else that is going on around it – and GDPR – and some senior managers have asked if the budget is high enough. We could take advantage, but I’d rather save extra budget for when we really need it,” he says.
As a commissioner broadcaster, Channel 4 does not make its own programmes and deals with a myriad of third-party suppliers – who must all comply with the broadcaster’s security policies.
But when Brackenborough is examining the measures that production partners have put in place, he’s says it’s not about assessing the amount of money they’ve invested in IT.
“Independent production companies are often small and don’t have the budget to invest that much in tech - but it might be that they are implementing practices like two-factor authentication - which is free and one of the most effective ways of stopping phishing attacks. Getting the basics right doesn’t cost money,” he argues.
“…That box doing your subtitling in the corner might just be a hacker’s route in”
In terms of its technology suppliers, he thinks that third party governance has been boosted significantly by the UK’s Digital Production Partnership’s (DPP) Committed to Security programme, which enables broadcast and production suppliers to demonstrate their commitment to achieving security best practice.
“As computer networks and broadcaster networks converge we’re operating in a more IP-based world, so we definitely need these proactive accredited schemes because that box doing your subtitling in the corner might just be a hacker’s route in,” he says.
“The DPP initiative is good for the manufactures too – once they’ve received accreditation it will be easier to sell themselves to other companies,” he adds.
The DPP is also keen to encourage a greater level of information sharing among broadcasters and technology service providers when a breach or a hack has taken place, but is this counter intuitive to an industry based on secrecy?
“I’ve been in broadcasting for 20 years and in InfoSec for ten, and I would say that we’re always collaborating. I talk with C5, BBC, and press publications and always have done,” he says.
But while keen on transparency – Brackenborough acknowledges that sharing such information also depends on other parts of the business:
“Sharing security risks internally is essential but it’s right that companies don’t want to share such information sometimes with the wider public - it can damage reputation or there may be legal reasons why we need to control what becomes public and when,” he says.
According to Brackenborough emerging threats are likely to come in the form of emerging technologies such as AI, ML and the internet of things (IoT).
As more processes in broadcast become automated, he argues, there still needs to be a human being in overall control.
“Companies are mainly employing robots to do the grunt work, not take over people’s jobs. But this itself presents a risk - if you create a chatbot – designed to reply automatically to emails, it isn’t necessarily going to be able to recognise a phishing attack.”