News

Cyber Think Tank: Entertainment and Media In Need of Best Practices (CDSA)

By Larry Jaffee

Entertainment and media companies lag far behind other industries tracked by the Ponemon Institute, a cyber security think tank based in Traverse City, Mich.

Over the past 11 years, Ponemon has released about 1,600 case studies of data breaches, examining what steps they take before and after an attack. It’s newly released report, the 2015 Cost of Data Breach Study, examined 350 companies in 11 countries covering 16 industry sectors.

Among respondents to the current study were movie studios, though Larry Ponemon, chairman and founder of the institute, said this year only 10 media and entertainment organizations were included in the report. However, he anticipates next year’s report to focus more on that space.

“Media and entertainment is definitely an area that deserves more attention because they’re the target of bad guys,“ Ponemon told the Content Delivery & Security Association (CDSA), citing intellectual property such as movie content. He said he believes the media and entertainment industry could benefit from good practices, learned from other industries.

From what he’s seen, M&E firms don’t have the same level of diligence in comparison to financial services or healthcare, in terms of levels of data protection, because they’re not heavily regulated and need to be in compliance.

“A lot of these organizations don’t think about security as a goal or objective,” Ponemon said. “They tend to have people doing security at the division level. There’s no central command and control. These organizations are not built for compliance or security. So it’s really a herculean task to get these organizations to move. You don’t see that in many other industries, such as financial services. Even government has had some wakeup calls, at least on the federal level.”

Ponemon notes that often acquisitions and mergers among entertainment and media companies create additional IT security problems. “Each organization has their own security orientation, or the lack thereof, so that creates an organization mess,” he said.

“Entertainment and media companies obtain and retain a lot of consumer-related data. Because it’s not regulated, there’s a mindset if it’s not useful today, it might be at some point in the future, so just keep everything.”

Media and entertainment companies more often than not fall in an “ignorance is bliss, head in the cloud” mentality, Ponemon added. Such organizations typically convince themselves wrongly that “it’s not happening here, and we don’t know what we don’t know,” he said.

About 30% of organizations that Ponemon benchmarks fall in the “ignorance is bliss” category, whereas about 50% fall in a middle category in which resources are spent to protect data, “but they do not discover whether data has been leaking out and potentially in the hands of bad guys.”

Only the remaining 20% of organizations studied by Ponemon are “really starting to get their arms around data breaches and cyber security.”

He notes Sony Pictures had only two or three people dedicated to security, and this was following a prior breach of the Sony PlayStation network. “The average financial services company, in comparison, by headcount probably has hundreds of people focused on security. It’s just a completely different orientation.”

From what Ponemon has seen among media and entertainment companies, they’re lacking strong security cultures, or don’t comply with security standards, such as the National Institute of Standards and Technology (NIST) or the International Organization for Standardization (ISO). “These organizations don’t see that as an important part of what they do.”

Ponemon spends a lot of time on establishing metrics to measure impact the impact on reputation following a data breach, such as customer churn. “From a revenue point of view, it could be significant. People leave. They find alternatives because they don’t want to deal with organizations that are sloppy and trustworthy with the protection of their information. Reputation cost is pretty significant.,” Ponemon said.