Cybersecurity and the Arts

Working in the arts, DWG sometimes hears that they don’t need all of the security standards of large corporations. I am reminded of a non-profit executive telling me awhile back that they don’t need to be like the Pentagon when we recommended a two factor authentication system. This article was inspired by a genuine concern that many art organizations may not be fully aware of the consequences of the slippery security slope.  Our hearts sank as we heard of The Met’s ordeal and our minds were outraged.  DWG does not know the exact cause of The Met cyberattack so this is not meant to be in any way derogatory to the wonderful folks at The Met. References and articles are included below.

Beginning on December 6th, 2022, hackers started the process of breaching the Met Opera’s information infrastructure. By December 7th, a cyber attack against The Metropolitan Opera in New York was well underway. The attack affected the opera’s network systems, including its internal network, website, ticketing server, box office, and phone center. The Opera’s website was restored eight days later, on December 15.

During this period, the opera continued its performances, and the Lincoln Center for the Performing Arts supported ticket sales until the Met could recover from the attack (Kudos Lincoln Center!). While the exact magnitude of the damage has not been disclosed, the stoppage in ticket sales effected revenue. According to Peter Gelb, The Met’s general manager, the opera earns roughly $200,000 in ticket sales per day throughout this season. Because the malware impeded the opera’s ability to sell tickets, seats were temporarily sold for $50 on the Lincoln Center for the Performing Arts website.

The cyber attack on the Met is far from the first on a cultural institution. In 2019, ransomware attacked the Asian Art Museum in San Francisco. In 2020, hackers obtained access to personal information from hundreds of cultural institutions and NGOs.   I’m sure you all have heard plenty of stories of hacks and cyberattacks.

Hackers do not care whether a business is a Fortune 500 company, a small business, or not-for-profit cultural institution like The Met, all these institutions still make transactions and hold their customers information.

A month after the attack on Met Opera, the attackers have yet to be identified, but The New York Times underlined the opera’s vocal support for Ukraine amid the ongoing Russia-Ukraine conflict.

But whatever the motivation and tactics, the cyberattack on the Met should serve as a wake-up call to other cultural organizations. Anyone could be a target. “I usually warn clients that everyone, regardless of size or sector, is a target. It should not take an occurrence like this to wake up other cultural institutions to the fact that they are in grave danger,” says Richard Sheinis, partner and head of data privacy and cybersecurity at full-service legal firm Hall Booth Smith.

Cultural organizations, like performing arts centers, theaters, and museums, are typically attractive targets for cyberattacks since they may not always have the time, money, skill-set, or up-to-the-minute understanding to build a good cybersecurity strategy. Unlike many for-profit organizations, which are victims of zero-day* vulnerabilities, the bulk of security breaches in smaller enterprises and most non-profits are caused by preventable flaws in human/device interaction. The untold story of cybersecurity is how criminals leverage the imperfect nature of humans to further their own goals.

Finding funding for cybersecurity is often difficult at a non-profit but it is a worthy investment.  A good security posture today, can save hundreds of thousands later, but many people are hard pressed to believe that it could happen to them. Furthermore, many cultural institutions are still striving to recover from the COVID-19 pandemic and are not in a position to embrace the additional concerns brought about by cybersecurity.

So, bringing cybersecurity to the forefront in a cultural institutions is the first critical step. Subsequent evaluation of the infrastructure, and investment in prevention, detection, and response can help lower the likelihood of cyber attacks while also mitigating the damage of an attack if one occurs. It is always recommended that the evaluation phase be done by in-house IT team, then if company lacks the means to retain in-house cybersecurity personnel, it can turn to third-party cybersecurity firms.

Please remember until you get a cybersecurity firm to help:

  • Layered firewalls (one from your service provider, one for your institution, and if you are running your ticketing server in-house, one more for that)
  • Separation of subdomains for internal and external networks,
  • SSL
  • Two-factor authentication
  • And for goodness sake, we recommend your site should not be on the same operating system as your ticketing server (if one is on windows, the other should be on Linux) – make the hackers work more difficult (hardening). If they are the same, security should be monitored in real-time.

* The term “zero-day” refers to newly found security flaws that hackers can exploit to attack systems. The term “zero-day” alludes to the fact that the vendor or developer only recently discovered the fault, implying that they have “zero days” to repair it. A zero-day attack occurs when hackers exploit a weakness before engineers have time to fix it.


Posted by The Met:

“After suffering a cyberattack that temporarily impacted our network systems, we’re pleased to announce that the Met is now able to process ticket orders through our website and in person at our box office. Based upon our ongoing investigations into the recent cyberattack, we would like to reassure our customers that ticketing customer data, including credit card information used when purchasing tickets, has not been stolen. We do not keep credit card information in the systems that were affected by the cyberattack. Thank you for your patience.”



Risk Management and the Arts

Risk Management and security are one of if not the biggest issue facing art organizations today. Unfortunately, it is not just because it may prove daunting but because it is rarely taken seriously within the organization until trouble arises.

Gone are the days when acquiring a HiTrust Certification, SOC2 type 2 auditor’s report, or an ISO 27001 accreditation was enough to defend your firm appropriately. Many seasoned practitioners knew that such a milestone was never a reliable indicator of an organization’s security posture or maturity. And it appears that the rest of the world has finally caught on.

The security threat environment is expanding in tandem with legislative and governance needs. Attacks have become more numerous and sophisticated, the number of attack channels has increased, the attack surface for businesses has increased substantially, and the complexity of our digital footprint has increased even further. In addition, the severe shortage of qualified and available workers to fill security tasks, including Governance, Risk, and Compliance (GRC), compounds the problem.
In short, GRC leaders face numerous hurdles in today’s firms. Yet, surprisingly, I hear little talk regarding the most efficient ways to run a modern GRC or risk management program. Because each firm is unique, there may be a variety of answers. There are, nevertheless, methods for modernizing your procedures.

  • Do you have a Risk Management Program in place?
  • How are you currently managing risk?
  • Why has technology changed so dramatically while GRC programs have remained the same?
  • Is there a more efficient way to manage today’s modern GRC program?

Before we begin discussing possible solutions, let’s review the basics:
Governance refers to an organization’s statutory or contractual obligations regarding security, risk, and privacy objectives. Noncompliance can result in severe fines and even criminal prosecution in some situations.
Risk refers to managing risk within an organization, focusing on security and privacy standards.

However, this merges with Enterprise Risk Management. Enterprise risk management (ERM) is detecting, analyzing, and treating a company’s risks based on an ongoing assessment by executive management. ERM includes examining the company’s exposures in financial, credit, fraud, strategic, and operational problems.

Compliance refers to an organization implementing security and privacy controls to meet governance standards and decrease risk. Internal and third-party external audits are a significant component of compliance.
My personal experience is firmly rooted in the NPO space, having spent the last 20 years helping many of our art clients with their IT audit and compliance. Based on that, I have some thoughts.

The sheer number of regulatory requirements a modern NPO must meet can be overwhelming. Similarly, managing organizational politics in an NPO is challenging, both for and against risk containment. Security, particularly GRC, has typically been viewed as a cost center rather than a value generator. And as I have stated in previous conversations, seen as a barrier to creativity.

Personnel shortages and burnout are at an all-time high, compounding the problem. According to industry analysis, this gap will continue to increase in the near term and will be a concern for quite some time.
Every day, we hear about one breach or another, and everyone is trying to move towards a more secure posture. However, these areas have financial consequences and criminal prosecutions due to a lack of monitoring and care.

In today’s environment, the message is clear: No matter what problems companies face, they must reasonably preserve the security and privacy of the data.

Running a Risk Management Program

A comprehensive alignment among the leadership is required to establish a more sustainable and scalable approach. Accepting “growing pains,” the additional initial costs, and facilitating cross-organizational working groups are all part of this. Everyone benefits from this arrangement, and key stakeholders must understand how they may help so that they can passionately buy in and be change champions.

To start the process, you must determine what regulatory obligations your firm should meet. The correct response would be, “Ask your auditors when they come in,” however, most auditors assign their most junior, fresh off-the-robe (just out of college) individuals to manage in-house audit interactions. So your best bet is for your Finance Officer to call one of your audit firm’s senior partners and obtain a summary of the regulations you must follow.

After defining the requirements, the hard work can begin, which begins with a thorough understanding of the organization’s environment. For example, what people, procedures, and technology does the organization have? What is the organization’s culture? What is the organization’s risk tolerance?

What is the organization’s risk tolerance? If you can’t answer these questions, you can’t assess compliance adequately. During this phase, we are attempting to piece together several essential views of the organization:

  • Purpose, vision, and operational needs
  • Lines of business
  • Organizational Structure
  • Key business processes
  • The digital and physical footprint
  • Assets
  • Data processing and storage

Traditionally, there are numerous emails, direct messages, and meetings. As a result, all parties involved experience duplicative manual processes, exhaustion, and dissatisfaction. It’s simple to “drop the ball” or “miss the mark” on even the tiniest of tasks in the traditional way.

You will need a SecOp person to gather the data and get the closest approximation of the organizational reality. This person must have sufficient power to assemble and distill the information for executive review.

SecOps is a relatively new concept that refers to security functions collaborating with DevOps teams (Development and IT) early and frequently and incorporating “paved roads” with “guardrails” into the process.

The teams that are continually maintaining the environment, deploying updates, and keeping the “lights on” are the stars of the show here (DevOps), and it is critical for modern GRC teams (SecOps) to collaborate and integrate with these teams. The most vital connection to cultivate for a modern GRC practitioner wanting to update their program is this one. Cross-training between GRC experts and technical teams is required. Both groups can be experts in the other’s field but must grasp how things function.

Gaining a rudimentary awareness of what tools and processes are in use with DevOps offers significant returns. When we understand how these tools interact, we benefit all parties involved. Therefore, in addition to our personal growth and development, we must teach these technical DevOps teams the fundamentals of GRC. The idea here is to keep it simple; just as a GRC practitioner can’t master complex deployment and troubleshooting, neither should our DevOps teams be expected to lead an audit.

At the very least, the audit should address any commerce, ticketing, change management, and collaboration systems utilized in the teams. A modern GRC practitioner benefits immensely from working with the tools that DevOps teams are already using. Working with DevOps provides those practitioners with the ideal perspective for evaluating organizational security and, as a result, compliance with your criteria.

At the same time, the DevOps teams need to gain an understanding of the following:

  • The forces influencing framework or standard requirements
  • The distinction between completing a requirement and meeting the requirement’s intent
  • How and why must we manage requirements from many frameworks and standards?

What happens during the audit process, why do we gather evidence, and what efficiencies can we put in place to make evidence collecting more consistent, trustworthy, and less impactful on engineering teams
Moving to the system(s) of the record is the final key in this method. Individual file sharing is a formula for disaster.

Can you envision a modern sales team organizing their activities through spreadsheets rather than a sophisticated Customer Relationship Management (CRM) system?

Certainly not! So, why do we handle our GRC initiatives in this manner regularly? First, however, it is critical to note that there will likely not be a single system of record. That is why your GRC software must integrate with other sources of a critical system of record.

Critical systems to integrate include change management systems, asset management systems, document management systems (for rules and procedures), and ticketing systems.

In short, make sure your IT and development crew know their systems, bring in an outside security person to lead the SecOps effort, and keep complete records of every process, discovery, and solution.

GRC: The Definitive Guide (
Risk and compliance management made easier (Hitrust- MyCSF)

Behnam Ataee, DWG CTO, has completed the HITRUST CSF Assurance Program certification. Certified HITRUST CSF professionals can deliver simplified compliance assessments and report for HIPAA, HITECH, state, and business associate requirements.