Hollywood hackers: How to protect and safeguard media businesses

As media and entertainment companies continue to transition to software-based workflows and adopt IT and IP technology the subject of content security remains at the top of the agenda.

Netflix, WPP, Yahoo, TV5Monde and Sony Pictures Entertainment have all been in the spotlight as a result of cyber attacks, ranging from from content theft, data acquisition and ransomware infections to systems.

DPP Managing Director Mark Harrison says cyber warfare has become a complicated topic with an enormous field of activity.

He says: “Security has an increasingly complicated depth within the physical world let alone the cyber world. The nature of threats can vary massively and the motivation can vary massively depending on what the target happens to be.

“Taking over a company like 21^st Century Fox could mean you have a real global impact, which would be a great concern.”

Fox Network Group distributes TV programmes, sports broadcasts, live channels including National Geographic and owns franchises including Deadpool, X-Men, Avatar and The Simpsons.

21^st Century Fox Director of Content Protection, Europe and Africa Pascal Hetzscholdt says: “It is really valuable content which is subjective to a creative process where a lot of IT systems are being used and distributors licensing content. There are many potential threat factors.”

“The tools to do these [attacks] are available to a lot of people and that is what is making life tough,” Hetzscholdt adds.

Preparation and awareness is key to combatting attacks, Hetzscholdt explains, and adds that often the nature of the attacker will remain inconspicuous from a nation state hack to a deviant in an attic.

Ascot Barclay Group Chief Security Officer and Chief Information Security Officer Mike Loginov works to help the industries become more resilient to cyber attacks by examining what adversaries and hackers are doing across industry sectors.

During a research project Loginov uncovered the diversity within the hacking community, which he describes as “exasperating”.

He says: “The attitude towards why they do it… they don’t care about the law and they don’t care about legislation.”

He explains often it’s not even about the ransom money but about the kudos within the community of successfully hacking into a global company like Fox.

“They’re doing it for the LOLs,” Loginov says.

Hetzscholdt explains the higher volume of users accessing more content than ever before results in a higher threat factor.

He says: “Nowadays we have an abundance of electronic devices, systems and software applications that run on top of that.

“Everyone is personalising and tailoring the portfolio of devices and applications of technologies they’re using.”

Paramount paradox
The paradox the industry is faced with is the pressure to integrate services with connected tools as well as utilise the capacity of cloud-based services. The risk of doing could compromise security measures.

Production infrastructures are based on IT while live video signals are increasingly carried via IP, which increases the range of threat vectors.

Harrison notes the sweet spot is keeping content secure whilst not restraining the creative process. He highlights the importance of security across the content supply chain from production, the physical security onset as well as the cloud based security during post-production.

He adds: “Security is a community issue and as a supply chain it is all about us helping each other to be secure.”

The DPP saw the increased cyber security risks the industry was facing and launched at IBC2017 the DPP Committed to Security programmes, a checklist developed with the North American Broadcasters Association for UK broadcasters and their suppliers to self-assess against a number of key security criteria.

Loginov suggests organisations identify the “crown jewels” within their business and concentrate on the loss, theft or damage of those assets as they could cause the most amount of damage to the business. The organisational culture often overlooks the training and awareness of employees, because convenience will ultimately trump security procedures he explains.

“Taking a holistic view across the organisation and looking for the gaps and what could be exploited, it is something we could recommend companies do a bit more of.”

Cultural changes
Opening up operational workflows whilst keeping content secure is a huge challenge.

Perform is a digital sports content and media group based in the UK. Chief Information Security Officer David Schatz explains security will always remain a challenge however the cultural aspect is the most important part to change.

He says: “Ensuring all employees are up to scratch is tougher than it looks. Training, education and awareness, eats away on resources but are hugely important.”

“Prioritisation within the information security strategy needs to direct into the right areas.”

Fox Networks has created a global content protection team in response to the increased threats.

Hetzscholdt explains: “We have identified the content distribution food chain – every entity from distribution and creation to storage and purely technical facilitation – each component passes through an aspect of your business or a silo within.

“The danger is, if you don’t look at it holistically you will miss out [on security practices].”

The most important tasks in content protection is identifying where your weakness may lie in the content production to distribution supply chain and partner with technology vendors to focus on content security and protection.

“Once you have identified that food chain you can create training and awareness and educational material for everyone in that ecosystem,” Hetzscholdt adds.

Schatz says: “Understanding where you are as a company and what you can realistically achieve is a good first step… it might be easier said than done but trying to achieve a standard like ISO 27001 is maybe not the best first step.”

“It is easier to start with a common sense to approach that grants a level of assurance to the company and stakeholders. The DPP committed to security stamp or something more general like the cyber essentials plus in the UK is a good first step.”