Protecting content in the digital age: Navigating the evolving threat landscape in media publishing

In today’s digital landscape, safeguarding sensitive information has become a top priority, especially for media publishing companies where the protection of data and intellectual property is crucial. In this exclusive interview, we sit down with Anoop Kumar, Head of Information Security Governance Risk and Compliance at GulfNews, Al Nisr Publishing, to discuss the evolving challenges of cybersecurity in the media industry. Anoop shares insights on the latest threats, strategies for protecting content and user data, and how the company is navigating the complexities of information security in an era of constant digital transformation.

Q. Let us know more about you and your role within Gulfnews,  Al Nisr Publishing?

A. I have been working at Al Nisr Publishing for the past 27 years, carried many roles in the entire IT domain and specialized in Information Security, Governance, Risk, Compliance, Project Management, Change Management, Audits and DR & BCP practices. During this tenure, defined all information Security and Governance policies, procedures and guidelines and educated all involved parties on the same. Helped organization in not only protecting information assets but also bringing in GRC practices to reduce operational cost, risk and improve performance. Cybersecurity GRC by design concept implemented and embraced the users and all stakeholders to practice it.

Q. What cyber threats can a media publishing company face?

A. Digital news engagement is outpacing traditional print media, and this transformation is opening more doors for cyber attackers to deliver disinformation, steal subscriber data, and disrupt operations. Moreover, reputational-damage threats and geo-political-based attacks are increasing too. The media publishing industry does not have mandatory regulatory compliance and a sophisticated elevated threat landscape, and is a comparatively less cyber mature industry, yet faces the same external threat level as other industry verticals. This makes the media publishing industry an easier target for attackers. During the production and distribution phases, many people and technologies interact with the content, not all of whom are internal to the media organization. As a result, media companies may not have comprehensive cyber defence capabilities to cover the full spectrum of interactions with the supplier ecosystem. On the other hand, phishing and spam emails trap less cyber-educated journalists to steal their identities.

Q. What are the most prevalent types of threats to network security in recent years?

A. Misconfigurations and lack of security baselines, skill gaps and Human error, OT – IT convergence and related vulnerability exposure, Vulnerable unpatched assets, Absence of continuous automated security control assessment practices, Malware, Ransomware, Phishing, Man-in-the-middle (MitM) attacks, Distributed denial of service (DDoS) attacks, SQL injection,  etc.

Q. How much adoption are you seeing in the security team today, and how much AI is under the hood of the products most organizations have deployed?

A. I would say, AI is part of all modern security and business solutions using ML support to reduce operational cost, and risk and improve performance. However, such exposures are highly targeted by hackers using the same AI approach by the bad guys. Business workflow automation is at a higher rate using AI-featured solutions. Example: content demand and delivery based on conditions. In Cybersecurity, threat detection, response, awareness and education is AI-driven and increasing at a high pace.

Q. How do you implement a cybersecurity culture in your organization?

A. A deep-rooted cybersecurity culture is indispensable for any organization navigating today’s digital threats, especially in less matured newspaper media organizations. The advent of sophisticated cyberattacks mandates a well-informed and proactive stance, starting with the eradication of ignorance around cybersecurity risks. We must educate Employees to recognize the repercussions of their online behaviours, such as the dangers of phishing attacks or the consequences of weak passwords, to help fortify the company’s digital defences. Embrace employees to engage in hands-on simulations and scenario-based learning, which are augmented by AI for personalized learning journeys. We must define a GRC-driven Cybersecurity program and promote cross-functional collaboration to enable every facet of the organization becomes an integral part of the cybersecurity strategy, ensuring a holistic defence mechanism is in place. Defining adequate roles and responsibility resulting better ownership and maturity among employees. Make visuals of policies procedures and guidelines and place them across all organizational units.

Q. Where is the company going to invest next year and what are your goals?

A. Cybersecurity GRC by design: a solution to educate all stakeholders on top-down and bottom-up enablement in GRC, which must bring operational cost, and risk reduction and improve operational performance and compliance. Also, Generative AI; is a double-sided sword we must embrace and operate with adequate Governance to achieve business goals and cyber protection. 

We are investing to manage Third-Party Cybersecurity Risk: The inevitability of third parties experiencing cybersecurity incidents is pressuring security leaders to focus more on resilience-oriented investments and move away from front-loaded due diligence activities. We must consider enhancing the risk management (continuous) of third-party services and establish mutually beneficial relationships with important external partners, to ensure their most valuable assets are continuously safeguarded and start by strengthening contingency plans for third-party engagements that pose the highest cybersecurity risk by creating third-party-specific incident playbooks, conduct tabletop exercises and define a clear off-boarding strategy involving timely revocation of access and destruction of data.