By John-Thomas Gaietto, Executive Director, Cybersecurity and Michael Wylie, Director, Cybersecurity, Richey May Technology Solutions –
As modern media companies race to create original content that satisfies our binge-watching appetites and blockbuster fervor, cyber criminals patiently work in the background — testing people, processes and technologies to uncover vulnerabilities.
From small post-production organizations to major players including Sony and Disney, Hollywood studios and production houses have become significant extortion targets for the cyber mob.
Sony was the first industry-related breach to make headlines, followed shortly thereafter by Disney and Larson Studios. While big motion picture studios may seem to be obvious targets, their content security practices are typically well- funded and highly resourced.
In contrast, small specialty post-production companies and visual effects (VFX) houses that handle extremely valuable content for the large studios rarely have full-time IT staff, let alone in-house content security experts.
Consequently, more targeted attacks are being aimed at these weakest links in the production chain.
Implications of a hacking breach
The first publicized small, third-party post-production hack targeted Hollywood’s Larson Studios. Hackers were able to penetrate the Larson network and gain pre- release access to a full season of Orange Is the New Black. Demanding tens of thousands of dollars for the safe return of the data, the hackers threatened to leak the episodes if their demands were not met.
Beyond leaked episodes, cyber breaches pose serious, devastating consequences — from millions in lost revenues to lawsuits and fines resulting from broken exclusivity contracts caused by the leak — with negative PR and wounded reputations often landing as the biggest blows to both studios and third-party vendors.
In response, the M&E industry is turning to innovative, effective security solutions and measures to protect and control their flagship content assets.
A new industry standard emerges
As studios began demanding more rigorous security controls for the third-party management and handling of pre-release content, a global, industry-wide film and television content protection initiative, the Trusted Partner Network (TPN), was founded.
The TPN creates a single, global directory of “trusted partner” vendors by establishing a minimum security preparedness benchmark based on a joint framework from the Motion Picture Association (MPA) and the Content Delivery & Security Association (CDSA). To be included in this trusted network, third-party vendors must complete an annual TPN assessment which must be scheduled and managed by a qualified TPN Assessor, an accredited individual with deep expertise in securing pre-release, entertainment content.
Despite its relatively recent appearance in 2018, the TPN has already made a sizeable impact on the content security industry. As more pressure is exerted from studios for post-production and VFX houses to demonstrate security readiness, the TPN is expected to become the respected industry badge of approval for most major studios. With hundreds of TPN assessment requests in the queue, it is quickly leapfrogging from trend to industry standard.
Opportunities of secure cloud solutions
While the M&E industry has traditionally worked on content in isolated offline pods, studios and post-production houses are seeing the efficiency and portability benefits provided by the cloud.
They are offloading some of the workflow and resources to on-demand instances in the public cloud, and they can do this conveniently from any location — and for multiple users — since cloud architecture simplifies and expedites the management of digital security rights. On-demand virtual servers allow for workloads to be scaled up or down based on production needs; the cloud solution virtually eliminates the massive amount of time typically involved for scoping, vendor review and capital forecasting, as well as the financial risk inherent in committing to expensive new server storage.
All signs point to the M&E industry being on the verge of a remarkable transition. Major studios such as Disney are authorizing certain workflows to be handled within Google Cloud, Microsoft Azure and Amazon Web Services (AWS), and the TPN has also announced its own App and Cloud Initiative, with frameworks to be released soon. When major studios and the MPA give their blessings to secure cloud solutions, there will be a massive adoption of cloud computing within the Hollywood studio community.
The added complexities of cloud architecture can, however, complicate the security landscape if not managed properly. Without properly configured backup and security settings, data is left vulnerable to unauthorized use, hackers, malware and other risks.
Cyber hygiene matters
According to Cybersecurity Ventures, a new ransomware attack happens every 14 seconds, with estimates of ransomware-based phishing emails up 109 percent from 2018 — costing businesses billions of dollars along with weeks of downtime. With malware and ransomware attacks on the rise in the M&E industry, reviewing basic cyber hygiene best practices could be the key to preventing a vast majority of data breaches.
Effective cyber hygiene may not be flashy or glamourous, but it is critical.
Cyber hygiene encompasses the fundamentals of effectively managing people, processes and technology to remove any weak links for the bad guys to target. The basics include maintaining the security and health of a network’s
infrastructure and endpoints, establishing routine user training, supporting protection efforts to avoid basic vulnerabilities, and implementing an effective incident response program.
Collaboration propels cybersecurity
As cyber criminals and security threats evolve, cybersecurity professionals and business leaders in the M&E industry continue the fight together to thwart cyberattacks through shared knowledge of effective data security practices and solutions. This collaborative approach is helping to build powerful tools, solutions and trends which, in turn, provide protection to highly valued content, business interests and reputations for years to come.