In our previous post, we looked at some of the major hacks that struck the entertainment industry and identified the industry’s reliance on third-party providers as a major vulnerability. Today, we’ll look at the steps the entertainment industry needs to take to protect assets from potential threats.
As always, the industry needs to balance security with business functionality. When you’re in the entertainment world, that means grabbing headlines with multimillion-dollar budgets and trying to increase media coverage of your entertainment property. While that is good for business, announcing to the world that Avatar 2 is set to be released on December 16, 2022, puts a big target on the digital file and all of the studios and enterprises that work with it.
The movie had a $250 million budget, took over 5 years to film, and is set to be released 12 years after the original. If cybercriminals took control of the file, there is no limit to the amount that Lightstorm Entertainment would pay to save their movie.
Considering that keeping budgets, release dates, and projects out of the news would severely hamper buzz and ultimately reduce ticket sales, studios have no choice but to continue showing their hand to cybercriminals while adding multiple layers of protection to their video files.
Third-Party Risk Management
Third-party vendors are frequently the Achilles heel of the entertainment industry. Production studios rely on this supply chain to add special effects, align the sound with the action, and turn the rough-cut film into a polished movie. They add in subtitles and translations, while others dub the film into foreign languages. At every step along the way, the digital files are only as secure as the third-party company’s security policy.
To limit exposure, production studios need to develop a clear, non-negotiable policy for every vendor and third party they work with. That policy must include:
- Password security protocols for employees and contractors who have access to sensitive data
- Corporate login email accounts for all SaaS software
- Elimination of public Wi-Fi when accessing proprietary works
- Multi-factor authentication tools
- Least privilege access policies and role-based access so employees only have access to what they need
- Mandatory endpoint security
- Regularly scheduled penetration testing and maintenance
Additionally, all employees should go through training sessions, so they can recognize phishing attacks and avoid handing over credentials.
Perhaps this may seem like a tall order, but when considering the consequences of not improving third-party security, the benefits obviously surpass the challenge of implementing such a program.
Cyber-First Approach to Merger & Acquisitions
Like all businesses, mergers and acquisitions are a key driver for growth. Last May, EY reported that Media and Entertainment companies are taking a buy vs build approach to stimulate growth. In a survey quoted by EY, 51% of executives in the survey said they were looking outside their home market for Mergers & Acquisition opportunities.
While this is good for business, those in the entertainment industry need to take a cyber-first approach when looking into M&A targets. Cyber risks are frequently overlooked during the vetting process, as business leaders tend to focus on the assets they are receiving rather than the security embedded in those assets.
This can lead to disastrous results. Cybercriminals that already have access to the purchased company’s assets can expand their reach into the larger company. Buyers must beware and conduct a full security review of the potential assets.
Robust Assessments and Reviews
Every company should be conducting annual cybersecurity assessments and reviews, but the stakes are much higher for entertainment companies. Piracy and leaks can undermine investment in films by giving them away for free to the public. Movies that cost tens of millions to produce and promote don’t hold any value once shared on a public cloud.
The movie industry was late to the cybersecurity game, and as creatives, their appetite for additional security measures is limited. More often than not, existing legacy systems aren’t updated or are no longer supported by their developer, creating cybersecurity vulnerabilities for your critical assets.
Key to all protection is onboarding a cybersecurity team that can be trusted with your most valuable assets. These advisors must understand the current state of your business, and recognize the unique, unfavorable position the industry finds itself in. They need to guide you to further increase your level of protection, as they reduce the likelihood of data breaches and pirated videos stemming from your studio.
For example, they may recommend a zero-trust approach for users, applications, and infrastructure. This comprehensive approach helps secure assets by eliminating implicit trust and continuously validating access rights at every step of a digital interaction.
Security-by-design is another approach they may recommend. Under this model, security is considered and built into every stage of the development. Rather than developing assets and then trying to find ways to protect those assets, a security-by-design strategy would build security directly into the assets.
Keeping your assets safe is a serious matter. Studios want their entertainment assets in the headlines, but only in regard to ticket sales and buzz. Not because some cybercriminal stole the film and shared it online for everyone to see.
To discuss your cyber-security defense requirements, contact a HolistiCyber expert today