How to avoid being hacked

Ten years ago it might have seemed strange that a broadcaster would pay hackers to break into their systems, but Public Service Broadcasting (PBS) does this as part of its cyber security operational plans.

“They basically try and hack us and then tell us what they’ve found,” says Mario Vecchi.

“The technical term is to perform a penetration test. We then take the results and we look for gaps in our systems and opportunities to enhance our security.”

The US public broadcaster’s CTO of three years is visiting IBC to talk cyber security and cyber governance.

Following a string of high profile hacks and leaks – from TV 5 Monde in France to Sony Pictures and HBO in the US, cyber security has become a hot topic among media companies – especially as they make the rapid transition to software-based, IP-connected infrastructures.

”It’s become an accepted paradigm that you’re not going to stop a security breach from happening”

“It’s become an accepted paradigm that you’re not going to stop a security breach from happening every time. There will be a human factor, or a bug in one of the apps,” says Vecchi.

And in those circumstances he adds that quick detection is critical to minimise damage. “You need to ask yourself ‘How do I go back to a state where I protect myself and recover?’ ‘How quickly can I throw away data files that have been corrupted and bring in healthy ones?’ Quick detection and quick recovery are crucial.”

An extra challenge for Vecchi is the distributed nature of the broadcaster’s structure. While Vecchi and his team provide centralised services, PBS is a national membership organisation comprised of independent public TV stations that all run their own operations.

“At the local level you see different levels of rigour,” he notes. “The larger stations have more resources and technology and are usually well secured with standard practices on the IT side. The smaller stations leverage their own distinct advantages, and they are often well served by the manual processes they put in place,” he explains.

“Going to the cloud is not an inherent threat, but it doesn’t eliminate it either”

No matter the size of the organisation, Vecchi argues that companies should see cyber security as an ongoing activity.

“You are never finished,” he says. “When executive decisions are made, cyber security must be factored in as an ongoing cost to the business.”

Cyber security can also be viewed as a cost offset by more efficient ways of working. While some media businesses are reluctant to move to the cloud, citing data security fears, Vecchi believes that there are too many benefits not to proceed, so companies should find a way of making it work.

“We will continue to expand more of our services and operations into the cloud. The challenge is not the cloud itself but how you use it. Something going to the cloud is not an inherent threat, but it doesn’t eliminate it either. You need to constantly look at how you move your information and manage your employees.,” he says.

A look at Vecchi’s long and distinguished career leads to a trail of innovation and patents. He developed a probability algorithm while working at IBM and an early cable modem and online service for Time Warner.

He’s also the owner of four patents. So given all the innovation he has developed and worked on, how did Vecchi decide which technologies were worth the effort it takes to get them approved?

“I think that comes down to instinct,” he says. “If something is meaningful to you and you believe it has value, then you bring together the technology, legal and business functions to ensure that the product contributes to the greater good.”

But then, he adds, luck plays a big role, too. “You never really know for sure - that is the unpredictable path of innovation”