As a news organisation, the BBC's work takes its staff to some inhospitable, and often hostile, places. And the Corporation's news output means it attracts the attention of some less than savoury organisations, including from the darker recesses of the internet.
"We deal with people whose regimes don't wan them to talk to us," David Jones, head of information security at the BBC, told Infosecurity Europe. "That informs a lot of how we work."
For Jones, this means protecting communications between the Corporation's journalists and between journalists and their sources. Protecting those sources' confidentiality can be a matter of life and death. But the BBC, along with other news organisations, has become a target in its own right for hacktivists and other online groups. And the broadcaster also needs to protect its commercially sensitive information.
"We've been targeted by various forms of attack," said Jones. "We see a denial of service attack at least once a week, if not more. And there is the constant noise from low-level attacks, phishing and malware."
This has led the BBC to create a robust procedure for protecting data, and protecting its core systems from attack. In part, Jones has drawn lessons from the Corporation's business continuity team, as well as from information security best practice. "We have a core team, and an incident commander who can make quick decisions on our behalf." This helps the BBC information security team to prepare, but also ensure that it can act quickly to shut down any attack, and learn lessons afterwards.
This stood the Corporation in good stead when it attracted the unwelcome attention of hacking group, the Syrian Electronic Army. "When it started, it was very simple phishing messages, to try to gain Twitter passwords. But they also realised they could read [news outlets'] webmail. They also started attacking supply chains. But those attacks have become increasingly sophisticated."
The BBC's response was to use automation as much as possible; to detect, block and destroy phishing mails within the Corporation's email system and to warn users on remote devices of the risks. "We kill the malware at the Exchange level, but we also had to get the message to remote users that they could be phished," said Jones. Education, he said, has to be both ongoing, and cover all staff.
But as important as blocking attacks is to learn lessons, and to use that learning to strengthen defences, countermeasures and the incident response.
"You need to tell people what could have happened, how close you did come to something catastrophic," Jones advised. "In the case of the Syrian Electronic Army, they did breach a number of mail accounts and obtain Twitter passwords. We were targeted at the start of their campaign, and they just wanted to embarrass us. But we know other organisations that have lost data, which could be career – or even health – limiting."
Security would be improved, Jones concluded, if both the IT security industry shared more information, and if communications between end user businesses dealing with similar threats were improved. "As an industry, we don't share enough," he said.