In today’s hyper-digital world, vulnerabilities are everywhere—buried in web applications, concealed in networks, hidden in servers, embedded in endpoints. Across literally every industry vertical, fear of a data security breach is keeping business leaders awake at night, because as technology has developed exponentially, so has cybercrime. Gone are the days when physical frisking, increased security personnel and surveillance cameras were enough to deter crime. Today, a lot more is needed as corporations, government agencies and individuals grapple with new realities like ransomware, system hacks, identity theft, phishing, Distributed Denial of Service (DDOS) attacks, zero-day attacks and online piracy; not to mention—in addition to what continues to be every organization’s worst nightmare—trusted insiders committing a security breaches.
A quick look at figures published by Gemalto’s Breach Level Index is enough to make anyone cringe. In 2016 alone, 1,792 data breach incidents took place across the globe. According to cybersecurity specialists Avalon, the average total cost of each breach was a whopping $7.01 million. This of course does not even begin to cover the associated damage to brand and reputation, which is often unrecoverable.
M&E: A MAGNET FOR CYBERCRIME
While cybercrime can hurt organizations in almost any industry, recent incidents have demonstrated that M&E companies are particularly vulnerable targets. Their susceptibility is centered on the fact that they have a sprawling supply chain with large volumes of digital content moving through at all times. The M&E industry is still reeling from the 2014 hack at Sony Pictures Entertainment, when hackers released confidential data which included personal information about employees and their families, data on executive salaries and copies of then unreleased Sony films. Sony pegged the damage caused by the massive cyber-attack at $35 million. Also etched in broadcasters’ memory is another watershed moment from 2015, when cyber terrorists succeeded in taking French TV network TV5Monde off air, almost completely destroying the network.
Since then, cyber storm clouds have continued to gather over M&E players. Their woes reached historic proportions in July 2017, when hackers gained control of 1.5 TB of data from HBO, including confidential scripts and other content from the network’s marquee shows. Even before the team had a chance to catch their breath, they found their social media handles infringed as well. The incident came close on the heels of 10 new episodes of Netflix’s popular show “Orange is the New Black” getting leaked as a result of an attack on their post-production company, Larson Studios. Hackers also succeeded in stealing a copy of “Pirates of the Caribbean: Dead Men Tell No Tales” from Disney 10 days before the official release date, threatening to release it to torrent sites if they weren’t paid. ABC Studios also joined the bandwagon of beleaguered cybercrime victims, when hacker group, “The Dark Overlord” leaked unaired episodes of their upcoming game show.
IMPLEMENTING BEST-IN-CLASS SECURITY PRACTICES
Is there any foolproof formula to avoid such security breaches? Not yet. But M&E enterprises can certainly learn from these incidents and take precautionary measures so that in future, cybercriminals cannot find a single hole to burrow through. Whether this means hiring external security advisory firms, bolstering approval procedures, isolating environments, establishing content type-led operating procedures, automating IT security processes like system patching, increasing the use of URL encryption, content encryption (including for “at rest” and downloaded content), conducting unannounced penetration testing, strengthening identity management or building applications that are coded for security, no effort is too big and no detail is too small. Technology partners must also be chosen carefully. Ideally, the organization selected should meet widely recognized, internationally accepted security standards like ISO 270001 and SOC2 certification.
SECURING OPERATIONS ACROSS THE CONTENT SUPPLY CHAIN
In today’s “TV Everywhere” universe, there are several use cases where sending content to external stakeholders becomes necessary to fulfil international syndication requirements. One such case is localization, since delivering content worldwide in multiple languages is key to boosting monetization. Studios have to send copies of their content to third party vendors for subtitling, dubbing etc., which increases the risk of piracy. While measures like encryption, secure transport, forensic watermarking etc. can help protect content from being illicitly distributed, a holistic MAM solution, like a Media ERP software, can help manage end-to-end content workflows securely across the supply chain. Such solutions allow users to perform tasks like localization within the same, secure environment, eliminating the need to send coveted assets outside the system.
MANAGING THE HUMAN FACTOR
Any organization is only as good as its people, and every employee has the potential to make or break a business. Even a single illicit act can bring a billion-dollar company to its knees. Companies therefore need to pull out all the stops to create an environment where commitment to content security comes from everyone, not just the leadership. Educating employees is extremely important, as often they have little understanding of the consequences that can result from sharing data unwisely. Since human intervention is mandatory at various stages of the content lifecycle, increasing electronic management control to make piracy harder is a constant endeavor. More specifically, deploying work order management to assign manual tasks to particular individuals is key. So is providing “just in time” access to content, wherein the said person is given access only for a watertight duration with access ceasing the moment his/her task is completed successfully.
JOINING FORCES TO TIGHTEN THE SECURITY BELT
In a bid to curb cybercrime, a group of 30 content enterprises, including major digital media players, networks and Hollywood outfits, have recently joined forces to create a group called the Alliance for Creativity and Entertainment (ACE). The group conducts research and works closely with law enforcement agencies to identify and stop pirates from stealing movies and TV shows.
M&E enterprises are hardly alone in their battle against cybercrime—healthcare, retail, finance, social media, education and even government have been hit hard in recent times. Industry leaders like J.P. Morgan Chase, eBay, Adobe and Target are just a few among many who have faced major cyber-attacks that have impacted millions of users. Technology giants like Yahoo and LinkedIn have not been spared either. High profile individuals like Mark Zuckerberg and Sundar Pichai have woken up to find their social media handles compromised. The battle is clearly on, and cybercriminals are leveraging new technical innovations to launch more complex, intelligent and targeted attacks across the globe. Predicting their next target is close to impossible, as their motives vary from financial gain, political ideology, espionage and revenge to sheer fun and fame.
While the list of cybercrime victims grows longer, organizations of all shapes and sizes are rethinking their security investments. Gartner predicts information security spending to reach $93 billion in 2018, and Microsoft has already announced its decision to invest over $1 billion a year on cyber security R&D. Needless to say, the cost of doing business is only going up on the back of these investments, and the burden is sure to percolate down to end customers sooner rather than later.
Is it time to go bring back fax machines and tapes, some may ask. Not quite. After all, crime has existed since time immemorial, and in all probability, it will continue to exist till the end of time. But lessons have to be gleaned from past events, as prevention remains the best line of defense against cyber criminals. Corporations need to get into the minds of hackers and identify every potential security loophole without a moment’s delay. A Cyber Defense Control roadmap needs to be put in place, with effective strategies for every level, starting right at the grass roots and going up to the top brass. Security best practices need to be exercised at an individual and organizational level, as a holistic, cross-country, cross-industry risk-based approach alone can help stay a step ahead in the war against cybercrime.
Ramki Sankaranarayanan is founder & CEO of Prime Focus Technologies (PFT).