Support 416-591-6711 option 1 or Email Us

Cybersecurity for the Media and Entertainment Industry

Mon, 29 Jul 2019

The ransom message flashed across the desktop computer screen. 

Give us 50 Bitcoin, or we release the final season's unaired episodes. Don't bother with the cops, they'll never track us in time. We've been in your system for months; the episodes are ours. Pay up in 48 hours, or we'll release more than spoiler alerts. Show me the money! 

Cybersecurity for the Media and Entertainment Industry

The media executive cringed – not just at the dated Jerry Maguire movie reference. 

He longed for the golden days of Hollywood. Where the ransom demands were created from pieced together letters cut from magazines and newspapers – those notes, he thought nostalgically, had looked like a grade four art project. Those were the good ole days of Tinsel Town when the criminals may have run off with a movie reel, but a smooth-talking detective with a chip on his shoulder and a fedora on his head would inevitably track them down in time. Now, there was no cutting room floor, post-production was all computerized, and someone had hacked the network.

This may seem like the start of a movie. You can see Liam Neeson appropriately cast as the media executive, a sombre man who will become enraged at what was Taken, throw his computer against a wall shattering it into a million pieces and then go on a revenge-fueled quest to get back what is rightfully his. 

“If you are looking for ransom, I can tell you I don't have any Bitcoin. But what I do have are a very particular set of skills, skills I have acquired over a very long career. Skills that make me a nightmare for people like you. If you let the episodes go now, that'll be the end of it.”

This isn’t a movie, and the scenario is far more reality than fiction.

Show Me the Money

When famous bank robber Willie Sutton was asked why he robbed banks, he replied, “Because that’s where the money is.”[i] Hackers are modern-day robbers, targeting digital assets that promise big payouts. Media and entertainment companies, with their deep-pockets and valuable properties, are uniquely vulnerable to cyber attacks. The industry’s high-profile products, coupled with its complex production processes and extensive use of outside vendors, give threat actors more opportunities to attack.

Advances in technology enable media and entertainment companies to produce more media with less time and expense, but such efficiencies create new vulnerabilities for threat actors to exploit. The innovations in technology that transformed the entertainment industry have simultaneously lowered the hurdles protecting intellectual property. Digital cameras, for example, allow directors to shoot footage for longer with less outlay: film stock expenses decrease immensely with the use of digital equipment. In addition, digital editing systems allow for the storage of vast quantities of content in a digital format. However, this means the valuable content of a production studio is stored on a platform that can be more easily compromised.

Additionally, studios often partner with expert vendors and creative specialists in areas such as graphics, special effects and audio mixing. Hackers hope that “lax network security at these vendors will allow easy access to content that they can hold hostage for a ransom.”[ii] Chief Technology Officer at FireEye, Grady Summers says, “Hackers have realized you might have a very well-funded security program at a Disney or Comcast, but if you step down the supply chain, you’re going to find a special effects crew or a sound editor who doesn’t have good security.”[iii]

To illustrate, a hacker group known as “the dark overlord” accessed and then released ten unaired episodes of Netflix’s Orange Is the New Black in 2017. Industry shareholders worried which network would be the next victim after the hackers taunted on Twitter, “Oh, what fun we’re all going to have.”[iv] Netflix noted in its press release regarding the hacking that a “production vendor used by several major TV studios had its security compromised.”[v]

A survey conducted by Hiscox, a global specialty insurance provider, found that 51 percent of media and entertainment organizations had experienced three or more cyber incidents over a 12-month period. Of those, the survey found that industry-wide viruses were the most common form of attack affecting 36 percent of respondents, followed by phishing scams cited by 29 percent and data breaches affecting 28 percent.[vi] 

As cyber attacks become more frequent and sophisticated, the most significant risks to cybersecurity for the entertainment industry are overconfidence and under-preparedness. Hiscox’s survey found that 79 percent of respondents felt that their security measures were adequate to protect them from cyber attacks – clearly, with just over half experiencing three or more incidents in one year, they overestimated the ability of their cyber strategy.

Protection the Behind the Scenes

There was a recurring theme at the 2019 ANGA COM meeting of the international telecommunications and media industry – cybersecurity. There was a resounding call to network operators and media content providers "to audit their workflows and devices, train staff to spot attempts to infiltrate their IT systems, and continuously monitor against threats.”[vii]

It isn’t just the media powerhouses that have to be concerned about cybersecurity. TV executives and TV providers also need to pay special attention. To illustrate the point, Eric Rutken, Managing Director of Cyber Security at Eurofins, said it is acknowledged within the world of software development that a great coder will make approximately ten mistakes per 1000 lines of code. "A smart TV has 2 million lines of code, so that is a lot of mistakes."[viii] These errors have the potential to become security weaknesses. Rutken goes on to say that “We recently tested security for a high-end smart TV and it contained over 30 vulnerabilities, five of which were critical or high risk. The television did not comply with GDPR requirements, either. When it comes to device security, the maturity of devices is still very low.”[ix]

Steve Harris, Executive Director for Education and Learning & Development Sales at SCTE-ISBE, outlined points of attack for hackers, based on figures from a tier-one European cable operator. The 2018 statistics show that 46 percent of cyber attacks were “aimed at the application layer, encompassing DDoS, DoS, zero-day attacks, bots, botnets, SQL injections and scripting, among other things. Another 23 percent of attacks tried to exploit a data breach, while 7 percent related to malware, 7 percent were focused on the network layer, and 5 percent were attributed to an 'insider threat'. Four percent of cyber attacks were associated with ransomware and 4 percent linked to phishing.”[x] 

Harris declared this a trillion-dollar problem that will only continue to worsen if increased security measures aren’t taken. “Everyone needs to conduct a threat analysis. We cannot identify every threat in the network, but we can identify the ones that cost us the most customers or take out the largest part of the network.”[xi]

Identifying and then fortifying network vulnerabilities is the first step to increased cybersecurity. A holistic approach to security is recommended for the entertainment and media industry. It’s no longer just content and networks that are the target, every aspect of the enterprise is now under threat – from post-production audio mixing to the accounting department. Putting a comprehensive, strong incident response plan in place so that early detection and quick mitigation are possible when a cyber incident inevitably does occur is vital. As Harris says, “It is not a question of if we are going to be attacked but when. This is a real threat, and we have to pay attention to it.”[xii]




‹ Back