Making Online Art Platforms Safer and More Resilient with Cybersecurity
The internet is rife with fraudulent behavior. The unfortunate combination of security flaws and hackers can bring about disastrous outcomes for any platform that does not comprehensively seal all of the vulnerabilities in the infrastructure of their cybersecurity practices.
The art market is not a stranger to fraud. In recent times, hackers have targeted the industry with various digital tools used to intercept communication and subsequently commit middle-man scams. One such case occurred in January 2020, when a prominent Dutch museum became a victim of fraud. Hackers intercepted email messages between the museum and an art dealer, resulting in $3.1 million being transferred to the criminals’ account.
The majority of fraud cases in the art industry revolve around email communication. But what will happen if the nascent online art platforms — online galleries, online marketplaces, online auctioneers and online art management solutions — become a direct target? The potential repercussions could be catastrophic for the art industry and its move to online platforms.
To prevent online art platforms from being victims of fraudulent behavior, it is vital for the entire industry to invest the appropriate amount of time and effort required to ensure adherence to the best cybersecurity practices. Fortunately, online e-commerce is not an uncharted area, so the art industry can learn a great deal by looking at how other industries have approached and implemented cybersecurity measures to protect themselves from being exploited by hackers.
Assessing Susceptibility to Potential Threats
Vulnerability assessment is the vital starting place to ensure effective protection from cyberattacks. The assessment process allows the team to evaluate the state of a platform’s security before planning its strategy to eradicate the risks.
An assessment should begin by gaining an understanding of which data is sensitive and the potential consequences of it being compromised. The second and likely most laborious stage involves analyzing the platform’s weak points and assessing a team’s knowledge of cybersecurity practices. Last but not least, it is vital to examine the potential threats that could come from third parties.
Determining Data Sensitivity
In the art industry, several data types are considered sensitive. For online auction platforms and marketplaces, some of the key points involve the personal information of buyers, sellers, and consignors. This sensitive data includes the names, phone numbers, email addresses, payment details and especially the physical addresses of buyers, as these are the destinations where purchased artworks will be shipped. Since auction specialists spend a great deal of time courting and building relationships with potential consignors and wealthy collectors, protecting their personal data is a vital component of ensuring the health of these essential relationships.
In addition to the information above, art management platforms must protect the names of the pieces in organizational and personal art collections to preserve the confidentiality and privacy valued by their owners. Another component that must remain safe is pricing information, as galleries and dealers may track several different prices for a single piece of art based on various discounts that can exist for specific clients. If this data is leaked, it could wreak havoc on the relationship trust that is essential for the industry’s success. Additionally, it is vital to protect data related to contextual information about artworks in a collection or about artists that a gallery represents, such as the names of collectors who have previously owned a piece, waiting lists for purchases, and prior concerns over authenticity.
Assessing Internal Risks
Security Code Review
The goal of this assessment is to identify potential weaknesses and flaws in the software code being used by online art platforms. While some industries mandate secure code reviews as a component of compliance requirements, every online platform would be wise to perform this assessment to ensure a secure environment. Some of the primary areas that a security code review focuses on include authentication, authorization, data validation, encryption, and error handling.
Ideally, “assessing software code for flaws that may compromise system security should be a regular, ongoing activity that is built into the software delivery process for the platform,” says Denis Chernobrovkin, Delivery Manager in DataArt’s Media & Entertainment practice, who has first-hand experience helping art industry clients conduct security code reviews. DataArt’s approach to helping clients secure their online platforms includes advising clients on best development practices to ensure high quality code and safe handling of user data, which mitigate security risks and limit the threat of attacks through data manipulation.
The security code review process can be conducted either manually or through automated tools, but it is advantageous to choose the manual route as the chances of detecting all issues with this method is higher. Always ensure that those who are reviewing the code are well-versed in the language used to program the application, knowledgeable about the best secure coding practices, and aware of the entire context of the platform.
Cloud Security Audit
The aim of cloud security audit is to find security gaps and identify issues that have not yet been addressed, as well as to verify that the implemented security controls are in line with the company’s policies. A cloud security audit is used to analyze the infrastructure and processes being used by a platform. One of the primary components of this assessment is access management to ensure a comprehensive understanding of who can access the cloud services and the specific levels of access for each user type. Additionally, the assessment is used to determine appropriate alarms for the specific data being collected and/or stored, thereby implementing safety guards to catch illicit activity before it is too late to stop it.
Some of the other components of a cloud security audit include assessing the integrity of the application and related infrastructure, the architectural design and hosting strategy, reliability, data privacy, encryption practices, and data retention policies. These assessments can also flag lapses in keeping servers and operating systems up to date with the most recent bug fixes and security patches, a basic but essential step in hardening a platform’s infrastructure against cyberattacks and zero-day vulnerabilities.
The reality is that many organizations, particularly in the traditional art market, do not have the necessary in-house expertise or resources to ensure a secure environment. By consulting with external security experts, an organization can be certain that every detail of its application has been effectively analyzed and secured against all potential vulnerabilities and cyberattacks. And although there is an expense incurred, using an external company is often much cheaper in the long run as it prevents the exploitation of applications, which can lead to devastating financial losses and damage to reputations.
The aim of penetration testing is to simulate a cyberattack to identify any exploitable vulnerabilities while determining the ability of a system and team to handle an attempted attack with minimal consequences. Once the simulation has been planned, the next step is to analyze how a target application responds to various types of attempted intrusions. Once this has been completed, any vulnerabilities found are put through every conceivable hack to determine the level of potential damage that could be caused in a real attack. Finally, the team will attempt to maintain access via the vulnerabilities to determine if a long-term presence from hackers is a possible outcome.
Social Engineering Test
According to Hiscox, a common type of ransomware attack is a targeted attack where a hacker group will specifically target key individuals with personalized phishing scams, so workforce awareness of such scams is vital. By simulating a phishing attack, this test allows the security team to evaluate the level of social engineering awareness. To conduct social engineering testing effectively, the team must try to think like a hacker to ensure an accurate simulation. The first attempt is to get malicious code past the set parameters so that opening an email attachment will release malware into the system. Phishing emails are often also intended to collect credentials from users to save for future attacks.
The testers will try a variety of phishing attacks, from simplistic and seemingly obvious messages to more complex and customized alternatives. Once the test is complete, the team will analyze click rates, login numbers, and flagging instances to determine the most effective ways for the application owners to improve their security practices to protect their environment for the future.
Establish Cybersecurity Protocols
Security Assurance Program
It is vital to embed security in all applications from the outset to ensure that the development process and solution conforms to a client’s security standards and compliance requirements. A security assurance program also guarantees that a solution is implemented according to security best practices and that it is sufficiently protected from relevant threats and attackers.
The program focuses on preventing the unauthorized disclosure of sensitive information, ensuring the accuracy and integrity of data, and making sure information will be available when needed. Additionally, this process includes the analysis of an application’s architecture, security controls, and event management.
Security compliance aims to gain a complete understanding of both the current and future security standards and cyber regulations to ensure full compliance by staff and partners in every component of a system. This process includes cyber risk management, security and regulatory compliance, third-party risk assessment, and cyber insurance management.
Evaluation of External Risks
The most common external cybersecurity risks originate from third parties. There are many situations where a company has to put sensitive information in the hands of a third-party organization, such as an integrated payment system provider, making it vital to analyze the potential vulnerabilities that could be derived from a collaboration of this type.
Be certain that cybersecurity is included in every business agreement made with third parties that have access to sensitive data to ensure that you are suitably protected even when your information is elsewhere. It is vital for contracts to explicitly define all cybersecurity responsibilities to avoid issues falling through the cracks while one side expects the other side to handle them.
Review Storage Options
These days, virtually everything is stored in the cloud. It is essential to review all third-party cloud contracts to understand precisely where data is being stored to facilitate compliance with the data laws in each specific location. For example, some governments require a copy of all data stored within their governance. Not being aware of regulations of this type can lead to non-compliance and associated problems in the future.
Assess Security Practices of Partners
It is highly advisable to determine a potential partner’s approach to data security before finalizing a contract. Be sure to study their policies and preventative measures to determine the quality and care of their practices, and always check their policy about security breaches to understand what steps they will take in the event that the unfortunate scenario of compromised data occurs.
Working with Cybersecurity Providers
To avoid the potential devastation resulting from compromised data, it is highly advisable to utilize the services of a cybersecurity provider. Through our work at DataArt, we have seen countless instances where breaches could have been prevented if the organization had used the services of a firm like ours to ensure a secure environment before an attempted attack was launched. By helping an organization to detect and respond to evolving cyber threats, a cybersecurity provider can save a company massive amounts of money and protect their reputation while ensuring that their systems are running smoothly without the downtime required to repair an exploited environment.
As the art industry increasingly moves online and digital marketplaces for art flourish, the attendant dangers must be given due attention. It is vital to implement effective security practices before an attempted cyberattack occurs. Security breaches can be catastrophic events, typically costing massive amounts of money and often destroying the reputation of an organization and even an entire industry. That is why it is essential to take all of the necessary steps required to develop comprehensive cybersecurity practices from the beginning, thereby ensuring compliance with industry and governmental standards while keeping data secure and retaining a trustworthy reputation for a successful future.
By Doron Fagelson,
VP Media & Entertainment at DataArt