Recent high-profile ransomware attacks have underscored the importance of cybersecurity. This year alone, ransomware has been used to destroy infrastructure, create chaos, and extort money from a range of businesses including the Colonial Pipeline, JBS (the world’s largest meatpacking company), and even the Washington DC Metropolitan Police Department. And cyberattacks have been increasing, as have ransom payments (up by 300% in 2020, and rising even more in 2021 so far.)
After the hacker group DarkSide was connected to the recent Colonial Pipeline attack, their business model came under newfound scrutiny among a broader audience. And what we discovered was a wide-ranging, international, anonymous group that basically operated like a legitimate software-as-a-service company. They maintained a web presence that included a sophisticated dashboard for their “customers” – hackers who would breach networks to install their ransomware. They did PR, posting about their latest news on their DarkSide Leaks website. They even contracted with legitimate data decryption services, wrote their own code of ethics, and gave some of their ransom money away to charity.
Not only did they do major damage in that attack, they also had reverberating (if unintentional) effects on the crypto industry. The FBI managed to trace the bitcoin payments of their customer/partner and crack into the hackers’ wallet to recover some of the ransom. Crypto prices that were already suffering plunged yet again as the security of Bitcoin was called into question.
Cybersecurity is everyone’s problem
These attacks raise questions across a broad range of domains, from the political (Who is a state actor? Do cyber crimes constitute acts of war?) to the financial (Should affected businesses pay ransoms? Does the rising popularity of cryptocurrency only embolden cyber criminals?) to the technical (What are a network’s vulnerabilities? How can data be better protected?)
Oftentimes creatives feel that such considerations are only for IT departments to worry about. But the problem of cybercrime isn’t just the domain of lone system admins – anyone can become a target, and become an entry point into the broader network of your company or your clients. Creatives have plenty of reasons to protect themselves from data breaches and other cybercrimes.
The sudden increase in remote work, and more relaxed protocols for remote collaboration have introduced greater access to centralized resources. That’s often made day-to-day working easier, but it also introduces more potential openings for hackers. Any complex system is only as strong as its weakest link, so it’s incumbent upon every member of an organization to stay vigilant.
Creatives might also help solve cyber threats with a different perspective on the issues than systems engineers have. Right now, the hackers are technologically savvy and imaginative, so a proactive plan to stop them requires the ability to think outside the box. And as creators, we often educate as well as entertain, so cybersecurity training could become a lot more palatable to workers with some creative input.
What makes creative departments targets?
Companies in creative industries and creative departments of large brands can be rich targets for hackers. Almost all creative work these days is made on digital platforms, so creative work product is a data source that can be mined if compromised by hackers. Creative departments often have sensitive data on their devices, and the digital media files they work with may constitute valuable intellectual property. If it gets into the wrong hands it might reveal to the brand’s competitors undisclosed strategic plans. If leaked online before intended, it can be costly and embarrassing.
Creative companies have been attacked before – even big companies who had protective systems in place. Just think back to the 2014 Sony hack perpetrated by the so-called “Guardians of Peace” hacker group. They used a malware variant to obliterate the company’s computer infrastructure while also gaining access to an incredible amount of sensitive data, including information about Sony employees and their families, personal e-mails, salary information, copies of not-yet-released films, and even scripts and plans for future endeavors.
While most of what we heard about was snarky e-mails about Hollywood actors and other gossip, in reality, the hackers dumped terabytes of sensitive and embarrassing data online, hijacked the company’s Twitter accounts, incapacitated the company’s computer infrastructure, and required tens of millions of dollars’ worth of damage control. And the reason Sony was targeted? The North Korea-linked hackers have really only pointed to one thing – a Seth Rogan comedy called The Interview, about an assassination attempt against Kim Jong-Un.
It’s often hard to guess a hacker’s motivations. Sometimes they target those who offended them while others might just choose someone randomly to test a concept or sit back and watch the chaos. But it’s clear from the recent rise in ransomware attacks, that the profit motive is growing in popularity. The more potential value your creative work might have, the greater
Creative workers on the front lines
The same dynamic can hold true for smaller entities and even individual artists. Copyright clearly isn’t enough protection when cybercriminals are happy to put sensitive information on display. Sure, you may still “own” the rights to a leaked song or artwork, but it could become devalued or a hack could reveal information crucial to the production of your art.
Maybe you’re not Sony, but chances are that somewhere on your devices or in your company’s files or servers sits information that you need access to but you’d rather not have others see. Perhaps you have access to a collection of creative assets, like video files or 3D models, from your team, client, or employer. Those might be just the sort of assets a hacker might decide are worth stealing.
If those assets are stored in the cloud your team might feel it’s more secure there. But it might not be. A 2019 hack on Canva gave unauthorized third parties access to user data. Luckily, the data seems to have stayed encrypted, but if you think about all of the websites you use in your creative endeavors and imagine all of your information and projects leaked online, you’re likely to get an uneasy feeling.
Of course, cybercriminals don’t just steal data, they can cut you off from your work tools and communications as well. In many cases, hackers simply ask for a ransom to restore services. They’ve done it to universities, hospitals, software companies, and manufacturers – in other words, they don’t discriminate. And in 2021, the average cost of remediating these attacks (including company downtime, lost orders and clients, and other operational costs) grew to over $2 million – per attack.
Remote work, online meetings, the increasing use of personal mobile devices for work, and the use of the cloud to transmit data can make creatives even more vulnerable to a cybercrime attack. With the rise of hybrid work, we’ll have to pay special attention to our cybersecurity efforts and management should have a comprehensive plan in place as well as an educational program to inform employees about risks.
For collaboration in the cloud in particular, the rewards come with great security risks. The Apple iCloud has been attacked at least twice, first in 2014’s Celebgate, in which sensitive photos were stolen and posted online. In 2017, a ransomware attack threatened to wipe millions of Apple devices connected to the cloud.
We upload things to the cloud without thinking much about how it works or the kind of security is provides. And since it’s a crucial tool for collaboration, we have to think about how we upload and download files in a way that’s less likely to be intercepted by bad actors.
Risks of collecting customer data
Cyber breaches have obvious additional privacy implications for marketers. Brands’ adoption of ever more digital experiences, and the overwhelming benefits of personalizing those experiences, means that brands are entrusted with more customer data than ever. And with the move away from third party cookies, marketers must truly rely on this first party data. But collecting it and keeping is secure are two very different things. Companies that experience data leaks have to do a lot of work to earn back their reputations.
Companies like Target and Home Depot may have earned back customer trust since their data breaches. Or perhaps people simply forgot about those hacks. Or maybe they didn’t yet understand the value of their customer information, and the privacy implications of its release. But people finally seem to be more attuned to the potential misuse of their private data lately. And either way, those breaches also cost millions of dollars to remediate.
Potentially losing control of customers’ personal information is risk not just for big retail stores, but for any brand, large or small. Increasingly the broadcast media driven power of yesteryear’s brands wanes, and new brands thrive on more reciprocal relationships, based on trust. Digital-first companies are especially data-centric and trust-dependent. A data breach exposing the personal information of its customers could be catastrophic for such a brand. An attack that takes down servers and cuts off customers access to a brand’s products can be similarly damaging.
Taking responsibility
In order to get employees at all levels to take cybersecurity seriously, they have to be informed about the risks and the costs of cyberattacks. This is even more crucial for remote workers using their own devices or their own home WiFi that might not have the firewall protection of an on-premises computer network. Employees (from the lobby to the C-suite) also have to realize that hackers use more than just backdoor attempts to access sensitive company data or infiltrate systems – psychological tactics have become just as important.
Hackers have been using social engineering for decades with great success. Long ago, cybercriminals realized it was easier to manipulate people than it was to use brute force to break into computer systems. Today most malware is distributed through phishing emails. Phishing attacks are a good example of social engineering since they often utilize advanced psycho-social tactics. They can come in various forms, trying to convince someone to click a link and enter their login credentials (or their credit card information).
Phishing emails and pop-ups have become very sophisticated. And the concern for companies is that defending against this requires more than technological intervention. Preventing phishing attacks depends upon training employees to spot these emails. That isn’t always straightforward, especially if someone is conducting a targeted attack and they’ve researched the person they’re targeting with a particular email (this is known as spear-phishing).
The point is that hackers only get more sophisticated from here, whether they’re de-encrypting passwords, penetrating databases via SQL injection attacks, using digital eavesdropping techniques, or creating more sophisticated malware such as logic bombs, Trojans, or stealth viruses. And since we all value our data and work tools, we have to take these threats much more seriously as we blend home and work, collaborate with partners, and continue to exchange information via the cloud.
Conclusion
If you’re a highly skilled creative your might feel it’s enough to leave cybersecurity to the so-called “experts”. But the truth is that there are plenty of attacks the experts haven’t stopped, and many of them were because someone carelessly opened an email or downloaded a file that was infected.
Media, gaming, and entertainment companies are prime targets since they have copious amounts of intellectual property and often deal with household names, making even normally mundane data valuable. Marketing departments at any brand can also present enticing targets to cyber thieves.
Cybercrime is a trillion dollar industry and billions have been spent cleaning up the damage caused by cybercriminals. Creatives who have a key role in producing their own intellectual property or collaborating on that of others have to remain cautious about the risks. The personal and professional ramifications could be career-altering.
It’s time for creatives to get serious about cybersecurity since their work and its collaborative nature make them targets. We must all stay vigilant.
Featured Image: Shutterstock