By Mathew Gilliat-Smith, CEO, Fortium Technologies –
Instances of content piracy are nothing new. Thieves have been stealing movies and television shows for decades, but recent cases of hackers pilfering content from studios and their suppliers are of a different scale than anything we’ve seen in the past and shocking in their audacity. This summer’s reported cyberattacks on HBO garnered headlines around the world due to the high-profile shows involved and the incredible scale of the attack. Entertainment Weekly reported that as much as 1.5 terabytes of data may have been stolen by the pirates. Similar attacks involving Larson Studios, Netflix and Disney has also resulted in a stream of negative publicity, while other lower-profile attacks are a constant source of industry chatter.
Along with actual crimes, there have been several close calls. Viacom was recently outed for lax security that could have led to a potentially catastrophic data leak as reported on Deadline.com 19th Sept 2017. Fortunately, the breach was discovered and no data was lost.
Without doubt, we are in a new era of cybercrime. Security specialist Fortinet issued one of the more sobering reports this past February. It’s reported ‘Mapping the Ransomware Landscape’ cited statistics across all business sectors showing a rate of 4000 different cyber incidents occurring across 50,000 devices each day in 2016, double the number of a year earlier. It also noted that 42% of companies held to ransom last year paid up with most reasoning that it was cheaper to buy off the thieves than to have the whole company down and out of action for a period of time.
By comparison to other business areas, the entertainment sector had been relatively unscathed. Much more damage has been suffered by business-critical companies like hospitals and financial services firms. Still, the threat to the media and entertainment industry is acute. One post production vendor has reported that it sees 8-10 cyber bots hitting its servers every second, mostly from Canada, China and Australia, tracked from their FortiGate firewall.
Not all cybercrime involves external ransomware attacks. Sometimes the security breach originates from within. That was the case with a vendor where Network Asia reported that four employees from the Indian facility were arrested for stealing an episode of Game of Thrones. Nor are all breaches the result of criminal intent. The accounting firm PwC estimates that 31 percent of security breaches in 2017 were the product of human error. “Auto complete” involving an incorrect email and a link to content is often the culprit. We’ve all done it.
Piracy’s human toll
There is a human aspect of piracy leaks in how they affect filmmakers and others in the production chain. Much of the talk has been about the unauthorized release of episodic premium content with cliff-hanger endings and the resulting massive number of free downloads. But what about the crime’s impact on the hundreds of individuals who worked long and hard to bring these shows to the masses?
Hopes are dashed when a brave studio takes a risk on a smaller independent film or filmmaker only to watch as the movie’s profits get cut in half when it’s leaked to a pirate site like PutLocker or Popcorn Time. This year’s surprise hit Moonlight was victimized by an astronomical an estimated 60M illegal transactions.
Board-level responsibility required
What is needed is a mindset change among entertainment companies at the board level. By analogy, imagine you’re a typical homeowner in Los Angeles or London. At a minimum, your security system involves five teeth lever keys and a burglar alarm. You might add a safe box for jewellery and perhaps CCTV cameras. But say you relocate to Johannesburg. Your mindset changes immediately. Now, you’re living behind a perimeter fence. You arrange safe box transport for high value items wherever you go. You run red lights at night to avoid car-jacking.
Today, the entertainment industry is more like Johannesburg than L.A. Firewall protection alone is not enough. Content is no longer produced in one place; it’s spread out over multiple locations and involves many people outside of the organization who take ownership of it before it hits TV screens.
It’s easy to kid ourselves that we are doing the best we can to work securely. However, when you get into it, a lot of post-production facilities will admit they work the same way as those companies that got hacked. They are not different. They’re just luckier. It didn’t happen to them. They rationalize the threat. “We have fast turnarounds.” “Content arrives in all manner of ways.” “Staff turnover is high.” On top of that, some creatives and producers simply insist that things be done “their way” and refuse to be dictated to. Moreover, they say the studios don’t value the small incremental price for higher security.
Right steps, right here
What’s to be done? First, obviously, data needs to be backed up. The very minimum should be access control by file and individual user. Multi-factor user authentication should be employed for accessing content. (These days, it’s not hard to do.) The MPAA ‘DS 11.4’ Guideline must be adhered to which means that content needs to be encrypted “at rest” and not just “in motion” so that it’s protected while individuals are working with it. It’s also vital to maintain an audit trail detailing who has accessed which content and when. Watermarking on its own in post production is not an effective strategy.
Individual watermarking by recipient takes too long to transcode the required multiple versions and is a reactive not a preventative measure.
In all recent cases, hackers have been able to release stolen content on-line for the simple reason that it was not encrypted. Had it been encrypted, the hackers would have had little leverage for blackmail. If you back-up and encrypt media assets, you still may be hacked and you may have to reinstate your PCs and Macs. But, your stolen content will not be accessible to the thieves and your most important asset—your reputation among your associates in the supply chain—will be unsullied.
Perhaps just as important as the physical protection is ensuring that security is easy to maintain. That means training staff and getting their understanding and buy in.
The key point it to make security measures a directive from the top so there’s no quibbling.
Bear in mind these key points:
First, cyber threats will continue. They are not one offs and will get worse.
Second, security needs to be a line item in the budget for each production. It doesn’t have to expensive but the CFO should not sign off on a project until there is a security line item present. Insurers are becoming more inquisitive about what measures are being taken to limit piracy.
Third, security must come from the top as a directive. It should be a board level directive so that the ‘creatives’ are encouraged to tow the line.
Currently, proper security seems to be optional at companies. What if directors and officers became personally liable as that would surely change the mindset. The fact that a company has never had a leak is not a reason to avoid spending money on security. In the recent case of the Equifax hack and the release of sensitive data, one can only speculate about director and officer liability. The resignation of the CEO probably speaks for itself.
Should a leak occur, the damage caused can go far beyond the immediate financial loss. It could affect a company’s ability to attract talent in the future. Star artists may not want to join a company whose reputation and ability to attract high profile projects has been damaged. It may also affect relations with other companies in the supply chain.
Media digitization has made it common for assets to change hands many times through production and post. If a company has “dropped the baton” it may make others less likely to want them to be part of their supply chain in the future. In the wake of a breach, a company’s ability to survive and return to business-as-usual will depend on how it responds to the crisis.
All companies need to have reputational management and disaster recovery plans in place NOW. A company that has been victimized by hackers needs to be saying the right things at the right times. It is wise to enlist a PR agency to assist in setting up a plan to be prepared. If disaster strikes, a company needs to respond properly as its crew will be listening, the supply chain will be listening, and the media will be salivating!