In digital media trust is everything, without it your business model doesn’t work. Cybersecurity can be a key component, ensuring the integrity of your services. Check out this brief guide to securing your data.

1. May 7, 2015
For digital media companies, the trust of their consumers and users is often
at the very heart of their business models. Indeed, the value proposition of
photo-sharing sites, social media platforms, and health and fitness sites
(particularly those associated with the ever-increasing number of wearable
monitoring devices), among others, are entirely predicated upon user-
provided content. But consumers’ willingness to provide that content
inevitably involves an element of trust. With so much riding on that trust,
data breaches and the theft of user information can do crippling damage to a
company’s reputation. Despite this, few companies, large or small, devote
adequate resources to effectively mitigate this risk until the inevitable
happens — a breach event.1
Smaller companies and businesses just getting off the ground might be inclined to overlook engaging in thorough
cybersecurity efforts because they see themselves as not worth a hacker’s time and attention. However, this is an
often disastrous assumption. For many digital media companies, the transition to worthwhile target size comes
`
For digital media companies, effective cybersecurity programs a
must

2. Data security at your company is
only as strong as the weakest link
in the chain.
quickly. Take Snapchat, which grew rapidly from a 2011 startup to the target of a 2013 hack to, ultimately, a
confirmed 2014 data breach victim.2
Other players may understand the importance of cybersecurity, but they suffer from a sharp disconnect between
the quality and soundness of the cybersecurity program they think is in place and the facts on the ground. Too
often, companies limit their security efforts to threats arising from external sources when, in reality, the risks are
more prevalent from inside the house. Internal vulnerabilities — namely, a company’s employees — pose an even
greater risk to companies’ data. Furthermore, most companies fail to instill cybersecurity into their corporate
cultures, reinforcing the notion that information protection must be everyone’s responsibility. After all, data
security at your company is only as strong as the weakest link in the chain.
To create an adequate cybersecurity program, companies must
start by acknowledging that ignorance is not bliss. Examining
their internal data shortcomings in good faith, making sure that
vendors who touch sensitive data are secure, and removing
cultural obstacles to getting all these things done are the key
steps in the process. Those who follow this path are much
more likely to survive an attack, and may even turn
cybersecurity into a source of competitive advantage.
Payment card standard only a partial solution
While customer data of all types make attractive targets for theft, among the most worrisome — and well-
publicized — are those intended to steal credit card data. For merchants of all sizes who accept credit card
payments — whether online or offline — the Payment Card Industry Data Security Standard (PCI DSS) includes
requirements for handling consumer payment card information. For various reasons, however, many companies are
falling short on compliance. The Verizon 2015 PCI Compliance Report,3 for example, found that while the average
compliance with individual PCI DSS requirements continued to increase in 2014, 80% of companies still fell short
of full compliance with the standards. What’s more, the wide variety in companies’ ability to meet individual PCI
DSS requirements indicates many still don’t have a comprehensive data security program in place.
Dangerously, some believe they are compliant with the PCI DSS even though they don’t fully understand the
requirements. In addition, many organizations don’t realize that there are new requirements in the recently released
PCI DSS 3.0 version of the standards — which, among other things, require companies to be more proactive in
cybersecurity, require more documentation of companies’ data security efforts, and require businesses to scrutinize

3. the data security protections of all of their service providers who might touch a credit card transaction.
Even if fully implemented, by their nature PCI DSS requirements aren’t designed to prevent cyberattacks and offer
digital media companies only limited protection. In addition, many cyberattacks are against companies designated
Level 2, 3 or 4 merchants by the PCI DSS (those doing fewer than 6 million Visa transactions annually), which face
less stringent compliance requirements than the largest companies.
Ultimately, as the PCI DSS only addresses payment security card information, digital media companies should
consider compliance with the standards just one element of achieving an appropriate level of cybersecurity. Other
sorts of sensitive information in their possession, such as names, addresses, Social Security numbers or health care
information, must be protected as well, to say nothing of sensitive intellectual property such as patents and trade
secrets.
In every data breach, a wide range of possible risks
Data breaches pose a number of potential risks to digital media companies, some common across various sorts of
businesses and others associated with specific industries.
Among other things, digital media companies could face various legal and regulatory risks as a result of the
exposure of customer data, including data breach notification requirements. While as yet there is no national
requirement to notify consumers whose information has been compromised, most states now have some version
of such laws in place. In addition, the White House has proposed new legislation, the Personal Data Notification &
Protection Act, which seeks to standardize notification requirements for companies that experience data breaches.
In addition to state requirements, some digital media companies dealing with consumer health information may
also be subject to requirements under the notification requirements of the federal Health Insurance Portability and
Accountability Act.
Digital media companies handling the data of children or students might run afoul of the Children’s Online Privacy
Protection Act or U.S. Department of Education guidelines related to the privacy of student information while
using online educational services. And U.S. digital media companies with consumers and users in other countries
might be subject to those countries’ privacy laws and regulations such as the European Union’s Data Protection
Directive and EU-Privacy Directive.
In addition to the regulatory risks, the threat of data breaches poses various other exposures for digital media
companies, including financial risks associated with the loss of business or litigation, reputation risk or the risk of

4. Everyone at a digital media
company should be involved in the
cybersecurity effort.
loss of consumer trust, the theft of proprietary information, websites being defaced or compromised by hackers,
and consumers receiving fraudulent information as a result of a data breach.
What should digital media companies do?
At the heart of creating an effective cybersecurity program is the question “What data do I have and what do I do
about it?”
The first step is creating a data classification policy addressing which data in the company’s possession is sensitive
and which is not, and what security levels are required to protect sensitive information. As important as this is,
however, many companies have put off creating such policies because of the cost and effort involved.4 This
process often involves a discovery phase of identifying what type of data you have and where it resides. Then the
data (customer, employee, etc.) needs to be designated according to its sensitivity to the company. Once this is
complete, the protection level for each classification level needs to be defined and agreed upon.
Once a digital media company has classified its data, here are a
number of additional steps it should take to ensure that it’s
securing that information effectively:
1. Find and face internal risks head-on
A company’s employees pose the single greatest
cybersecurity risk by engaging in activities they shouldn’t, either intentionally or not. By failing to address
employee-related vulnerabilities, many companies aren’t limiting access to their systems to the extent they
think they are. Some common sources of data breaches include malware on an employee’s laptop, employees
falling victim to phishing scams, hackers taking advantage of weak passwords and so-called watering hole
attacks. Watering hole attacks involve hackers first gathering intelligence to identify trusted websites visited
regularly by employees — a local restaurant from which employees frequently order lunch, for example —
then placing malicious software on the trusted site with the goal of infecting the target company’s computers
on future visits.
Given the cybersecurity vulnerabilities presented by employee activities, it’s essential that well defined user
policies are clearly communicated to employees. Enhancing employee awareness on the mechanisms of
malware, phishing, spear phishing and social engineering attacks, as well as the continuous reinforcement of
internal security policies, is critical to the creation of an effective security culture. The most security-conscious
companies employ continuous vulnerability scanning and resiliency testing tools to shed light on existing

5. vulnerabilities. Barring major investments in automated tools, small steps, such as encouraging employees to
call out insecure practices by their coworkers (e.g., leaving desktop computers logged in and unattended, using
unencrypted wireless while working, unregulated bring-your-own-device policies, poor coding practices), can
go a long way toward embedding a security-conscious culture.
2. Fix what you know is broken
Most cyberattacks over the past two years have involved previously targeted vulnerabilities or weak passwords.
Obviously, companies should patch identified vulnerabilities, require the use of strong passwords and consider
enforcing two-factor authentication for administrative level access, in addition to conducting regular
vulnerability scans. For smaller companies with limited resources, there should be a regular program of
scanning for vulnerabilities and patching those discovered, even if they do nothing else. Digital media
businesses also should consider implementing two-factor authentication, as well as encourage consumers to
use strong passwords and familiarize themselves with privacy/security settings, where appropriate.
3. Stay on top of vendors
Digital media companies must also address third-party exposures. Vendor management is a risk for all
businesses and, like others, digital media companies should understand from a risk perspective what every
vendor is doing and whether they’re taking adequate steps to protect data. Companies should ensure that
vendors who might handle their data are contractually obligated to protect data at the levels where it should be
protected, and that those vendors are receiving the appropriate data security reports and independent reviews
(such as PCI DSS, SOC 2 reports or ISO 27001) as appropriate.
4. Make cybersecurity everyone’s responsibility
While placing responsibility for the cybersecurity program with a chief information security officer is ideal, for
many smaller digital media companies ultimate responsibility often resides with the IT director. Ultimately,
though, everyone at a digital media company should be involved in the cybersecurity effort. A good guide is
the National Institute of Standards and Technology’s cybersecurity framework,5 which suggests that
cybersecurity responsibility should be clearly defined across the organization, with each department
understanding its responsibility and having been trained accordingly. Generally, digital media businesses should
review their cybersecurity programs annually, examining the program from a number of angles. Meanwhile,
vulnerability management should be conducted continuously.
5. Strive for continuous improvement
With a cybersecurity program in place, there are a number of ways a digital media company can gauge its
effectiveness and identify areas of needed improvements. Regular audits can provide valuable information
about a cybersecurity program, and digital media companies should take the suggestions of independent

6. For a digital media company, proper
emphasis on data security can
provide a source of competitive
advantage.
auditors to heart.
Digital media businesses can also include security measures among key performance indicators, tracking such
things as time to patch vulnerabilities after they’re first discovered, findings from weekly cybersecurity status
meetings, the time it takes the business to respond to a data security situation like a stolen laptop and the
number of viruses detected per week.
The
benefits of proactive cybersecurity — for digital media companies, the time to act is now
For digital media companies, the potential benefits of a proactive cybersecurity program are numerous. One is
simply outrunning the bear, or at least competitors that are less prepared to deal with cybersecurity threats; by
having a proactive approach to cybersecurity, you are able to effectively demonstrate to customers and other parties
that you understand the seriousness of your responsibility for protecting their data. This, in turn, can translate to a
market advantage by having a mature cybersecurity program and the audits to back it up.
An effective cybersecurity program also can be an asset if
you’re looking to sell your business, while the lack of such a
program might raise some troublesome issues as potential
buyers conduct their due diligence.
If a data breach does occur, having a practiced set of processes that facilitate a rapid response can certainly help
limit damage (see “What to do after a data breach” sidebar). In the event of a breach, a solid cybersecurity plan also
puts you in a much better position with regulators, customers and other stakeholders looking to assign blame.
Cybersecurity in practice
Netflix created a tool called Chaos Monkey to test the resilience and
recoverability of its Amazon Web Services (AWS) cloud operations. Chaos
Monkey randomly creates failures in the Netflix AWS architecture to test
the company’s ability to respond to the outages. In 2012, Netflix released
Chaos Monkey into the wild, making the source code available to others
interested in using it to test their system resilience and recoverability.

7. Given the importance of consumer data and trust to their businesses, digital media firms must put sound
cybersecurity programs in place if they are to succeed. Those programs are best established early in a digital media
company’s life when they can be created at lower cost, grow with the company and become part of its strategic
thinking. While the potential consequences of failing to craft an effective cybersecurity program can be significant
— even catastrophic — for a digital media company, proper emphasis on data security can provide a source of
competitive advantage.
What to do after a data breach
For digital media companies, as with those in other businesses, it’s just a matter of time until a data breach occurs,
whether the company realizes it or not. To minimize the fallout, organizations need to prepare their data breach
response in advance.
Companies should have a detailed data breach response plan in place, identifying key players in that response and
establishing their responsibilities. Once the plan is in place, the company must train employees and test the plan
regularly, making any necessary adjustments as needed.
When a breach does occur, digital media companies should do the following:
Notify proper authorities such as the FBI and others who might be appropriate to your industry
Don’t make immediate changes to your systems — allow yourself time to determine exactly what happened
and how the attack occurred
Secure system logs — hackers will often try to alter them to cover their tracks.
Preserve evidence
Involve your public relations team, because the event may well draw both news and social media attention
Advise the public of the steps you have taken to prevent a data breach and the steps you’re taking to address it,
and assure them you’re taking further action to prevent future breaches
Take advantage of existing incident response resources and guidance addressing such areas as business
continuity and data security

8. Download the PDF.
Contacts
Steven Perkins
Managing Director
Technology Industry Practice
T +1 703 637 2830
E steven.perkins@us.gt.com
Orus Dearman
Director
Business Advisory Services
T +1 415 318 2240
E orus.dearman@us.gt.com
1 Kapersky Lab. IT Risk Survey 2014: A Business Approach to Managing Data Security Risks, 2014. See www.kaspersky.com for details.
2 Olivarez­Giles, Nathan. “Snapchat Data Breach Exposes Millions of Names, Phone Numbers,” The Wall Street Journal, Jan. 1, 2014. See www.wsj.com for details.
3 Verizon. Verizon 2015 PCI Compliance Report, 2015.
4 For more insight, see Skip Westfall’s article, “Unprepared Organizations Pay More for Cyberattacks,” originally published in Grant Thornton’s CorporateGovernor newsletter on Feb. 4, 2015.
5 Created through collaboration between industry and government, the Framework for Improving Critical Infrastructure Cybersecurity consists of standards, guidelines and practices to promote the protection of critical
infrastructure.
See more at: http://www.grantthornton.com/issues/library/articles/technology/2015/Software/05­digital­media­cybersecurity
About Grant Thornton LLP

9. About Grant Thornton LLP
The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest­quality service to public and
private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd, one of the world’s leading
organizations of independent audit, tax and advisory firms. Grant Thornton International Ltd and its member firms are not a worldwide partnership, as
each member firm is a separate and distinct legal entity
In the United States, visit Grant Thornton LLP at www.GrantThornton.com.
Content in this publication is not intended to answer specific questions or suggest suitability of action in a particular case. For additional information on the issues
discussed, consult a Grant Thornton client service partner or another qualified professional.
© 2015 Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd.