As officials at Sony and HBO can tell you, it’s tougher than ever to ensure sensitive materials are being properly protected, regardless of how many resources might be available to an organization. While there was clearly a breakdown in security protocol at Sony since thousands of passwords were in a folder named “passwords”, the issues at HBO aren’t the result of a single source or issue. Both hacks provide lessons for media & entertainment professionals, and not having actual passwords in a folder named “passwords” is just the beginning.
Experts have declared that the entertainment industry is a prime target for hackers because of the money and influence that’s associated with it, and many organizations have not engaged with robust audits by third parties to help them find the gaps in their own security. What happened at Sony, HBO and even Netflix showcase why cyber security should be a top priority. They have also given production professionals of all sizes some insight around how they can avoid putting themselves and their companies through similar ordeals.
Understanding Security Vulnerabilities
The security issues HBO dealt with were the result of problems with their supply chain, insiders who knowingly or unknowingly revealed more than they were permitted to, and compromised accounts. These issues enabled the theft of a total of 1.5 terabytes of data. Hackers released Game of Thrones scripts, company documents and unbroadcast episodes of other HBO shows, including Curb Your Enthusiasm and Insecure.
To say these are incredibly value resources to and for the company is an understatement, so how exactly were these vulnerabilities able to be exploited? How were they created in the first place? Anthony Juliano, an account executive at FUJIFILM, provided us with multiple explanations around what might have happened, and why it happened.
“Just like any data breach, this one could be the result of one or many different circumstances,” Juliano told ProVideo Coalition. “It could have been the result of currently applied antivirus software that didn’t catch the breach, out of date antivirus software, ignoring basic security hygiene or repeated hack attempts by the intruder until they found a vulnerability in customer code.”
Exactly what happened at HBO isn’t the issue, but understanding the vulnerabilities that might have been exploited there absolutely is. Luckily, some of these liabilities are easy enough to diagnose and resolve. When it comes to ignoring security hygiene, users need to ensure they keep up with security maintenance. Keeping your software up-to-date is among the most important things you can do when it comes to keeping your system and data secure. Additionally, if the HBO data was encrypted, the hacker would have had access to meaningless data with no value. And of course, not falling for a “phishing” email scam is sound advice not matter what you’re doing.
There are far more involved approaches and processes associated with properly securing your data, but how much of that is necessary? Are hackers zeroing in on media & entertainment professionals in an active way? How much of a concern should freelancer professionals have in this regard?
Production Companies and Entertainment Professionals as Targets
Being able to impact how people think of or view something that’s become such a cultural phenomenon like Game of Thrones undoubtedly makes media & entertainment companies a prime target for hackers, but that notoriety is hardly the only factor at play. It’s important to remember that both Netflix and HBO had ransom demands made around their security breaches. Both of those factors have hackers across the world looking for vulnerabilities that are inherent in these systems, even if studios and production professionals are only one of their targets.
“Financial firms are high-value targets to hackers as sources of credit card information, bank account information, etc.,” Juliano continued. “However, any company that stays back-level on security maintenance is an easy candidate. Hackers look closely at new maintenance releases from companies like Microsoft, Adobe, Apple, and all major e-mail systems. They can clearly see the vulnerability and weak areas that are being fixed. That information tells the hacker where the weakness is to be exploited. They know customers are slow to apply maintenance and this gives the hacker time to attack.”
This is information that production professionals of all sizes should recognize, because it’s proof that it doesn’t necessarily matter how large you are or how valuable/sensitive the data you possess might be. If you’re using a system or process that has inherent weaknesses in it, you’re the exact sort of target that hackers are looking to find and exploit.
Additionally, many freelance professionals gain access to larger systems when they’re working on a project, and that access can turn them into an “accidental insider” which could allow someone with malicious intent to piggyback onto that access. These are the types of vulnerabilities that cyber security professionals look to prevent, but the most secure system in the world is still only as good as the people who access and utilize it.
Taking proactive steps to ensure your system or your organization is not an easy target should be a top priority for production professionals, but what exactly do those measures look like?
Pay Now, or Pay Later
Establishing specific security protocols and data processes with and for production professionals can be a difficult task. The technical logistics associated with doing so are often the last thing creative professionals want to deal with, and additional expenses related to such tasks are often not properly budgeted.
Nonetheless, there’s been a recognition across the industry of the repercussions associated with not taking this topic seriously. Security issues are not just the concern of the IT department any longer, and freelancer professionals are more open than ever to understanding what it means to stay secure. Despite that, actually installing these processes and protocols is usually not a simple or easy process.
“Unfortunately, there isn’t a silver bullet or one thing that can be done,” Juliano said. “It’s a combination of things that must happen. Studios must practice good IT and security hygiene, and that includes patching systems and applications, updating and modernizing systems/applications/infrastructure, controlling access to only those that need access, validating identities and encrypting or applying other safeguards to critical business systems. They also must implement stringent monitoring and alerting mechanisms as compensating controls for when or if an attacker breaks through their defenses.”
All of that might sound like a tall order, and for some large organizations it might be. It doesn’t have to be such a process though, since little things like updating your software and hardware exponentially increase the security of your system. Those software updates often mean little more than clicking the “Update” icon when it pops onto your screen. It’s something that many people still don’t do.
There’s a need to go far deeper, and cyber security experts can help with that process. Additionally, tried and true methodologies like the 3-2-1 rule are still effective. It states that enterprises should have three copies of backups on two different media types, one of which is kept offsite. Freelancer professionals should consider how that kind of setup could work for them, even if it’s on a smaller scale.
Data security issues often come down to a question of paying now or paying later. And paying later is always more expensive.
