Data security in newsrooms is a massive unknown – the worst thing we can do is ignore it
There are two types of newsroom. Those that have lost data, and those that will.
Last week I was at Eurovision’s news conference – NewsXchange. It’s a fun and thoughtful annual gathering of leaders from (mostly) public service broadcast newsrooms across (mostly) europe.
I produced a session about two currents threats to journalism as I see it. The first is that journalism is increasingly put into the same category as terrorism when it comes to government investigations. This has massive implications for protection of journalists’ sources. If we are unable to keep a secret, because terrorism legislation forces us to reveal it when asked by authorities, how can we expect a whistleblower to trust us with information which is absolutely in the public interest?
The second threat is that large media organisations are increasingly seen as a prestige target by hackers. One example: TV5 was taken off the air for around 18 hours earlier this year.
At the start of the session I asked the audience a set of questions about their news organisation and security of their data. They voted using personal push-button handsets. I want to share the results here as we didn’t have enough time in the session to analyse them in detail.
If you are relatively new to data security threats, they might shock you. Sadly, for the most part myself and the experts I had with me on the panel found some of the results all too predictable.
I should stress this is not a statistically accurate survey, it is simply meant to be an indication of the thoughts of the people in the room at the time.
VPN use: An easy one to start with, and I’m pleasantly surprised that over a third of people use a secure connection on their own computer. However the number of people effectively saying ‘I know I should, but I don’t’ is where I expected it to be.
Data safety away from base: I asked here specifically about how reporters treated any data-carrying equipment once it was out of the office. How well do they stick to the IT rules?
I was particularly interested in the results of option two, as it’s an indicator of the extent to which corporate IT policies get in the way of newsgathering workflows. In many cases side-stepping the rules temporarily in order to speed the story back to base is acceptable as long as you’ve assessed the risks well enough.
I wasn’t prepared for a full two-thirds of the voters either not knowing when their reporters might be taking risks with important data, or not knowing what procedures were even in place!
Mobiles: I’ve seen this on many occasions. A reporter can’t get their work phone to do what they need it to, so they use their own phone, and half the respondents do not think this is an issue! The danger here is that a personal mobile phone is far more likely to be a ‘leaky’ data device. For a start, what happens if it gets lost or stolen with contact details of anonymous sources on it?
To what extent are you expecting a data breach: I am glad to see that most people are realists. It is extremely hard to prevent attacks, what matters is how you prepare for one and what you do afterwards. (The data theft from UK phone company Talk Talk had occurred just a week before. It was the third such attack and the company head didn’t even know if the data was encrypted or not! Astonishing.)
How effective do you think your corporate systems are: At least 20 percent of the respondents have a false sense of security, half need to ask better questions of their IT chiefs. Only a third of those who pushed a button are ready to properly plan for the attacks that will certainly come.
A quick note to the results: I’m displaying the questions in the order they were asked, but I don’t know the total number of votes that were counted, and of the 180 or so people in the room, not all would have voted and not all might have voted for all the questions.
I always welcome insightful comments. If you know something which would add to our understanding of these results, please let everyone know.