Cyber hacks 101: what directors and regulators in the cultural sector need to know

Digital resilience in the cultural sector rests on three pillars: managing cyber risks, dealing with artificial intelligence - especially generative AI - and technological sovereignty: the question of the extent to which an organisation wants to depend on US or other non-European hardware and software.

In a series of articles, I will take a closer look at these three topics. I will start with cyber risks.

Cyber-attacks still appear to be a topic that seems difficult to fathom for many managers and supervisors, especially in the cultural sector. Discussions about it quickly get caught up in technical terms and jargon that provide little guidance for those ultimately responsible for policy and supervision.

This often leaves it unclear what the core issue is: what exactly a cyber attack or hack is, how it works and what forms it takes.

In the ‘101’ below, I therefore clearly list the main types of cyber attacks, with concrete examples from the cultural sector (In internet and academic jargon, “101” means a basic explanation or introduction to a subject. It refers to the way subjects at universities are often numbered).

The cultural sector is an attractive target for ‘hackers’

Museums, festivals, theatres, design studios, media companies and cultural funds have long tended to see themselves as unlikely targets of cyber attacks. That thinking is understandable. They do not manage electricity grids, process global payment flows and are not defence ministries or intelligence agencies. But that old ranking has since quietly disappeared. In today's threat landscape, attackers are not only going after where the most money can be made. They also target organisations where trust is high, defences are uneven, systems are highly interconnected and disruption can lead to hasty decisions. And that describes much of the cultural and creative sector remarkably well.

Three recent reports (Riedel, Cloudflare and Proton) make clear why this is so and you can find them at the bottom of the article.

Hacks in three flavours

For directors and supervisors, it helps to divide this landscape into three broad categories:

1. The first is the ethical or commercial hack: an authorised attempt to test systems and find vulnerabilities before a real attacker does.

2. The second is the statewide hack: digital activity associated with geopolitical goals, such as espionage, pre-positioning in systems or exerting influence.

3. The third is the criminal hack: financially motivated burglary aimed at extortion, theft, sabotage or disruption.

The means may overlap. The motives do not. And it is precisely this difference in motive that matters for governance:

1. The ethical or commercial hack

This is the domain of penetration testing, ‘red teaming,’ vulnerability scans and simulating an adversary. In the best sense, it is a controlled exercise in failure. Not to inflict damage, but to reveal blind spots before someone with less good intentions does. That could be an outdated server, a weak identity design, misconfigured cloud storage or a vendor link that was never fully mapped. RIEDEL's report highlights an old lesson again: known vulnerabilities are often still exploited long after a fix was already available. Basic hygiene, such as patch management, monitoring and a structured incident response, still makes the difference between manageable and catastrophic. For a board of directors or oversight in the cultural sector, this is not a technical detail, but a managerial signal. Ethical hacking is one of the few ways to replace assumed security with demonstrable resilience. (A very recent ‘ethical hack’ at McKinsey shows what the next stage of digital risk is: the in-house generative AI assistant Lilli, used by tens of thousands of consultants to search through decades of reports, analyses and presentations, proved vulnerable. Security startup CodeWall demonstrated with an autonomous AI agent that such systems can independently find and exploit vulnerabilities within hours, allowing AI to greatly accelerate the classic steps of a cyber attack. (How we hacked Mckinseys AI platform )

2. State Actor hacks

Attacks by state-driven attackers have long since moved beyond the cinematic image of a spy stealing diplomatic secrets. Cloudflare's report describes a world where state-affiliated groups are more persistent, more identity-focused and part of broader strategic campaigns. For example, Chinese threat actors are described as parties seeking long-term positions in telecoms, government and IT services, in a way that points to preparation for future disruption and means of pressure, not just immediate espionage. The broader lesson is that statewide hacks are increasingly about pre-positioning: penetrating early, maintaining a quiet presence and building options for later.

At first glance, then, a museum, theatre company or publishing house does not seem a logical target. But cultural institutions manage more than art and play schedules. They have donor lists, board correspondence, contracts with artists, unpublished material, salary records, international partnerships, politically sensitive communications and reputational capital. Moreover, they are often openly organised: highly outward-looking, reliant on collaboration and leaning on a patchwork of external platforms and temporary staff. In such an environment, the dividing line between espionage, influence and opportunistic compromise becomes less theoretical than many executives like to assume. (In March 2026, US medtech company Stryker was hit by a major cyber attack that disrupted internal systems worldwide. According to reports, the logo of Handala, a hacking group linked by cybersecurity experts to Iranian cyber operations, appeared on employees' login screens. The incident led to disruptions of the company's Microsoft network and restricted access to internal systems while investigations were ongoing

US medical equipment company Stryker says cyberattack disrupted its global networks

3. The criminal hack

The third category, criminal hacking, remains the most immediate threat to most organisations. It is also the broadest category. Five forms deserve special attention in this regard:

• The first is the ransomware attack. Once upon a time, ransomware was mainly about encrypting files and demanding a ransom for the key. That still happens, but the model has changed. Increasingly, ransomware has become an extortion model that relies on stolen access and stolen data. The RIEDEL report shows that ransomware continued to be one of the dominant damage patterns in the second half of 2025. Cloudflare goes further, stating that modern attackers often work with valid login credentials, or trusted services rather than noisy intrusion techniques. Criminals are thus increasingly no longer slamming the door, but simply logging in. For a cultural organisation, that could mean an attacker proceeds via a compromised mail account or administrator login to archives, financial systems, donor databases or ticketing platforms before anyone realises the building is already on fire. (The case of the National Museum of the Royal Navy shows what damage such an attack can do (National Museum of the Royal Navy hit by cyber attack )

• The second form is the data breach. This could originate from a webshop, a CRM system, a cloud storage environment, a ticket partner or a captured password. In cultural terms, this involves membership files, visitor information, correspondence with patrons, provenance files, contracts with creators or HR documentation. The damage is rarely just technical. It spills over into reporting obligations, legal costs, operational distractions and a creeping loss of trust. Proton's report highlights that business side of trust: 66 per cent of organisations say that demonstrably handling customer data securely is very or even critically important to winning new contracts or customers. In sectors that revolve around reputation and relationships, this quickly makes a data breach a strategic event rather than an IT incident. (The Metropolitan Opera case shows that: Security Gaps in Cultural Institutions )

• The third is the insider threat of sabotage. Boards still often think of cyber risk as something that comes from outside. But weak access discipline, overly broad permissions and informal account sharing create risks from within. Proton finds that even organisations with password managers are still sharing login details via email, documents, messaging apps and other insecure channels, while poor access control makes it harder to track suspicious behaviour or revoke access cleanly. In the cultural sector, where freelancers, curators, technicians, producers and temporary collaboration partners are constantly moving between systems and projects, this is not a fringe issue. It is often ingrained in day-to-day working practices. (The case of the British Museum: Fired British Museum worker arrested after ‘shutting down’ museum computer systems )

• The fourth form is system failure or data corruption. Not every digital crisis starts with an adversary. Systems fail. Data gets corrupted. Dependencies break. Misconfigurations cause failures that can look suspiciously like a hack from the outside. This matters because institutions are increasingly dependent on digital continuity for their core activities: ticketing, collection registration, payroll, communications, fundraising and audience programming. A disruption in one linked system can quickly lead to reputation damage and operational problems elsewhere. The lesson for administrators is that resilience is not only about stopping attackers, but also about being able to recover quickly when technology collapses under its own weight. (The case of Crowdstrike: 2024 CrowdStrike-related IT outages )

• The fifth form is the DDoS attack: a distributed denial-of-service attack that overloads online services until they become inaccessible. The goal then is not necessarily theft, but paralysis. Cloudflare describes a threat environment in which hyper-volumetric DDoS attacks can cripple infrastructure at exceptionally high rates. For cultural institutions, this is especially relevant at moments of maximum visibility: the start of a ticket sale, an opening weekend, a digital premiere, a membership recruitment campaign, a fundraising campaign or a politically sensitive publication moment. If accessibility is part of the public mission, then a DDoS attack is not a technical sidetrack but an attack on the public face of the institution. (The case of Live Nation and Taylor Swift: Live Nation Entertainment blamed bots for the Taylor Swift ticket fiasco. Is it a legitimate explanation or just an excuse? )

And then there is AI

AI, meanwhile, runs like an electric current through all three categories. The core of the Cloudflare story (see reports) is that AI lowers the threshold, increases speed and helps attackers exploit precisely the connecting layers of modern organisations: cloud environments, SaaS integrations and identity structures. The result is not simply “more hacks”, but faster, more scalable and further automated attacks.

Proton adds the organisational side. Most companies now use cloud services, many deploy AI tools, but confidence in how providers handle corporate data remains limited. Only 14 per cent of organisations in the survey say they are fully confident that cloud providers can protect their data from data breaches, while 69 per cent are already using AI tools. Each new application can improve workflow, but also increase the attack surface. In this regard, the hack at McKinsey shows the ‘state of the art’, an AI agent doing it all. In the foreseeable future, 80-90 % of hacks are expected to be performed by AI agents.

This is precisely the lesson that directors and regulators in the cultural and creative sector now need to internalise. Cyber risk management is no longer a technical sub-topic for the IT manager and an annual paragraph from the auditor. It is a governance issue about continuity, trust, access management, third-party dependency, careful data management and managerial judgement. The right response is not melodrama, but discipline: testing systems ethically, tightening identity and access, treating cloud and AI adoption as security decisions and assuming that the next incident is more likely to enter through the organisation's connecting tissues than through its visible front door. In an industry that thrives on public trust, cyber resilience has long since ceased to be back-office hygiene. It has become part of the cultural infrastructure itself.

Reports

1. The OOPS H2-2025 Report from RIEDEL Networks is an overview of publicly reported cyber incidents in Germany in the second half of 2025. The report identifies recurring attack patterns, likely damages and organisational lessons. The outcome is clear: cybercriminals still dominate incident picture and data theft and ransomware together account for about two-thirds of observed attack types. Events and media are also on the sector map, as a reminder that culture has long since moved out of the picture.

2. The Cloudflare 2026 Threat Report, published this year as the company's first global threat review, is based on telemetry from a network that it says protects about 20 per cent of the web. The core message is sharp: cyber threat industrialises, identity has become the primary target and AI plus the growing complexity of SaaS environments give attackers an advantage over machine speed.

3. The Proton SMB Cybersecurity Report 2026 finally, a recent survey of 3,000 founders, directors and IT leaders in six markets, conducted in late 2025, on cloud adoption, human error, AI use and customer trust. The message from this is also relevant for cultural institutions: investing in tools has not removed vulnerability, while digital security is increasingly a commercial confidence signal in itself.

Appreciate this article!