By Peter Worrall, marketing and research director, Fortium Technologies –
A recent spate of high profile hacks of digital film and television content has focused attention on the issue of cybersecurity in the media and entertainment industry. Most industry insiders now know that cyberattacks can happen, and that the consequences can be devastating to a company’s bottom line and reputation. Yet, many companies remain only vaguely aware of the nature of the threat and how to avoid becoming victims, much less what to do in the aftermath of an attack. Is it even possible to return to “business-as-usual” once you’ve been the target of a cybercrime?
Firstly, it is imperative to recognize that leaks are not principally a technology issue. Rather they are a business issue that should be addressed at the board level and the costs for defending against them should be properly budgeted. Leaks are an attack on a company’s core asset: its reputation.
The independent research firm Ponemon Institute recently issued a report titled ‘The Aftermath of a Mega Breach: Consumer Sentiment’. It describes data breaches as on par with poor customer service and environmental disasters in terms of damaging a company’s brand. Companies in the entertainment industry often expend considerable time and resources in ensuring their customers have a good experience and go to great lengths to avoid catastrophic breakdowns, yet many of those same companies seem to be still in the dark to mounting cyber-threats. How many employ, or even seek to access, an expert in the field of cybersecurity?
In certain industries, companies look after someone else’s property, and therefore have a duty of care. Think of a jewellery firm that employs a courier to deliver merchandise worth more than his monthly wage. In the post-production business, facilities are sometimes responsible for a customer’s assets worth many times their yearly income. Some films generate more than $100M their first week in release. A premium television show pulls in millions of viewers and therefore significant advertising dollars.
The job of protecting valuable customer assets is now a different ball game and additional measures must be taken. For example, there has been massive growth in foreign language dubbing and localisation, and this has increased the number of points of vulnerability. If a leak happens in an entertainment supply chain, a vendor could be economically liable and incur a blow to its reputation, but it is the content owner and its vendors that will suffer most and should dictate the additional security needed. Yet not many, it seems, are doing so. A recent study by the British government found that “relatively few companies (34%) have rules specifically around personal data encryption…Moreover, while most businesses set rules and controls within their organisations, just 13 per cent set minimum cyber security standards for their suppliers.”
Given the potential consequences of a cyberattack, it’s surprising that more is not being done to change post-production workflows. Perhaps it’s because most facilities are relatively small businesses and believe that hackers will go for the big fish, not them. That underestimates the resourcefulness of hackers. Consider that anyone can access data about companies working on specific film and television projects on IMDB. When a hacker visits a post facility’s website, he isn’t seeking information on its technical resources or superstar crew. He looking to see what’s under the hood…valuable unreleased film and television assets being worked for an impending release date.
Should a leak occur, the damage caused can go far beyond the immediate financial loss. It could affect a company’s ability to attract talent in the future. Star artists may not want to join a company whose reputation and ability to attract high profile projects has been damaged. It may also affect relations with other companies in the supply chain. Media digitization has made it common for assets to change hands many times through production and post. If a company has “dropped the baton” it may make others less likely to want them to be part of their supply chain in the future. In the wake of a breach, a company’s ability to survive and return to business-as-usual will depend on how it responds to the crisis.
All companies need to have reputational management and disaster recovery plans in place NOW. A company that has been victimized by hackers needs to be saying the right things at the right times. It may be wise to enlist a PR agency to assist in setting up a plan. If disaster strikes, a company needs to respond properly as its crew will be listening, the supply chain will be listening, and the media will be salivating!
Human error accounts for most leaks. The global research firm PWC recently found that “50% of the worst breaches in the year were caused by inadvertent human error, up from 31% a year ago.” Ask any expert to identify the weakest link in a company’s security infrastructure and the answer will be people, because humans are fallible. But before you point the finger at someone who sent an email to the wrong person or downloaded an infected file, remember that EVERYONE has made such mistakes. The solution, then, is to establish a secure environment where such critical errors can’t happen. Sensitive content must be encrypted by individual file or folder as well as by invidivual recipient, which in the cases of those incidents reported in the recent leaks, clearly it was not.
If your company has not backed up and encrypted its data, it could become the victim of ransomware. In all recent cases, hackers have been able to release stolen content on-line for the simple reason that it was not encrypted. Had it been encrypted, the hackers would have had little leverage for blackmail. If you back-up and encrypt media assets, you still may be hacked and you may have to reinstate your PCs and Macs. However, your stolen content will not be accessible to the thieves and your most important asset will be unsullied—your reputation and its standing in your supply chain community.
Peter Worrall is research and marketing Director at Fortium whose MediaSeal file encryption at-rest solution protects with access control by file or folder and individual recipient. MediaSeal is used premium scripted TV and motion picture content the pre-release stages particularly in sound and picture editing, international dubbing and marketing promos.