CDSA

We are at least now preaching to a converted audience. Gone are the days when security was an afterthought or was not a line item in the annual budget.

It helps that a key driver for vendor security in M&E is the requirement by content owners for industry compliance, such as the TPN, SOC2, ISO and testing. Increasingly this is the hurdle to win and maintain business.

The threat landscape is continually evolving and becoming more complex and expensive to manage. It’s therefore crucial that our knowledge is current and that we are in tune with the latest threats.

The challenge will always be that attackers only need to find one vulnerability, while their targets must protect against all.

In addition to following best practice, the best way to do this is by implementation of cybersecurity tools testing and information sharing.

Aside from attackers, human error is often the cause of an unintended leak or breach. Either way continuous education with regular training sessions on security awareness can significantly reduce the risk, for example on the latest phishing and social engineering tactics.

A holistic approach is beneficial and instead of relying solely on one defensive measure.

We should adopt a layered approach to security that encompasses various tools and practices, including the obvious ones, such as endpoint security, network monitoring, stronger access control, advanced encryption in transit and at rest, secure collaboration platforms, correctly configured cloud storage, plus a meaningful incident response strategy.

There are hundreds of vendors and thousands of individuals working on each new production with an increasing use of SaaS applications. When a solutions provider detects a potentially exploitable vulnerability and issues a software patch, it’s incumbent upon their customers to install it.

Patch alerts signpost attackers to find exploitable wins. Tightening obvious gaps in all areas is crucial to ensure better security during on-set production and during post-production.

One size does not fit all however, and different con- tent owners will have different security requirements depending on the vendor and the content. The MPA Best Practice Guidelines provide a sound security baseline upon which a delta set of checks and balances can be added.

An iterative rather than a duplicative approach to the security assessment process must be much more productive and time efficient for all parties.

It was encouraging to see a united front in the approach to the security assessment process at the IBC 2023 TPN panel, which was represented by most of the studios and watched by a good cross section of vendors and assessors.

There has been a lot of concern recently in the media about AI and how we might lose control of it. Apart from the fact that AI has been around for a while in various forms, it is beneficial to both offensive and defensive security strategies.

For example, AI where it helps with anti-piracy by recognizing copyrighted material and alerting rights holders for take down.

Forensic watermarking tools use AI for tracing back content to its original source. Natural language processing can read the web for references to pirated or unreleased content, acting as an early warning system.

In cybersecurity, AI can be used in anomaly detection indicating potential threats. Use of AI in behavioral analysis can help with malware detection. AI can recognize the characteristics of phishing emails and identify previously known threats.

Deepfakes are increasingly hard to spot, and detection is made easier through AI.

On the downside AI can also be used for all the above to empower bad actors to generate deepfake videos, more sophisticated phishing and malware attacks, circumvention of passwords and so on.

This is all on top of privacy concerns, the loss of jobs and all the rest.

In terms of what more we do to protect our businesses from cyber criminals, we can make more effort to stay current with the new or improved technologies out there.

For example, ZDA (zero trust architecture) forces the concept of never trust and always verify on every access request. XDR (extended detection and response) which provides a suite of security products that automates threat detection and response across endpoints, networks, servers, and cloud environments.

Improved MFA and password manager technology that both strengthens and simplifies the authentication for end users.

All of the above however is contingent on proper implementation, continuous updates, vulnerability management, security assurance and testing, and as im- portantly it has a holistic understanding of the security posture of your business.

Sapiens qui prospicit. Wise is he who looks ahead.

* By Mathew Gilliat-Smith, EVP, CRO, Convergent Risks *

=============================================

Click here to download the complete .PDF version of this article
Click here to download the entire Winter 2023 M&E Journal