Just a few months ago, media and entertainment vendors could treat remote security assessments under Trusted Partner Network (TPN) guidelines as a nice-to-have option. The ongoing global pandemic has quickly made remote security assessments a necessity in order to provide content owners assurance the vendors they work with worldwide are keeping assets secure.
We spoke with three TPN assessment experts — Mathew Gilliat-Smith, EVP with Convergent Risks, independent cybersecurity analyst James Bourne, and Michael Wylie, director of cybersecurity services for Richey May Technology Solutions — about how COVID-19 has brought remote security assessments to the forefront for M&E vendors.
TPN: How crucial have TPN remote assessments become during the ongoing pandemic, and have there been any significant evolutions in the remote assessment process in recent months?
Wylie: It wasn’t until COVID-19 that we’ve seen more adoption from studios [for remote assessments]. Some vendors we were working with prior to stay-at-home [orders] who were told to do an in-person assessment only were later told a remote assessment would be acceptable. The Richey May Technology Solutions TPN Assessment team have done numerous remote assessments prior to the pandemic. Most of the evolution comes from educating vendors and providing the option.
Gilliat-Smith: In the first couple of weeks after lockdown both studios and vendors were extremely busy deploying and scaling remote working practices, some for the first time. As vendors across global territories began to realize that scheduled TPN assessments would be postponed, a pattern began to emerge: Vendors renewing from the previous year were reluctant to let their assessments slip, recognizing the importance of providing ongoing assurance to content owners. We felt this was a strong cultural acknowledgment of the importance being placed on the TPN assessment process.
Others were taking a TPN assessment for the first time and — with the prospect of being imminently awarded work by content owners — did not want the process to lapse or cause a delay in resuming business as usual.
In terms of evolution, everyone’s increasing familiarity with video conferencing has matured the process by making detailed calls easier to manage and more efficient.
Bourne: Remote assessments have been absolutely crucial. Without the ability to complete remote assessments the TPN assessment process would have halted. It’s impossible to travel right now.
In terms of evolution — I had only completed one remote assessment previous [to the pandemic]. Now they are all remote. So clearly we have had to adjust the way we work with our clients. While I like to think we have had a good rapport with our clients in the past, the discussions we are having now are much more personal in nature. It’s all about facility survivability … no longer a security audit [and] more of a business discussion relating to minimum security posture vs. cost to meet MPA Content Security Best Practices.
TPN: What recommendations would you offer for vendors when it comes to engaging with assessors for a remote audit? What should vendors know going in? How can they go about easing the process for both themselves and the assessor?
Gilliat-Smith: The key item is ‘preparation’ so that the remote assessment can be as painless as possible. Remote assessment is still very much an interactive process. For example, make sure you are in a place where your internet connection has sufficient bandwidth and stable enough for the video call, with enough time booked off anywhere between two to six hours depending on the assignment. Ensure the answers to the extended TPN questionnaire are updated and current.
We sometimes find that the questionnaire answers haven’t been updated from the previous year, even after remediation has taken place. Check that the TPN portal is correctly showing which items have been from last time as correctly remediated from your last assessment. Another point is to have all relevant materials ready to hand, for example management policies, architectural floor and infrastructure plans, access to the firewall user interface, and video evidence of physical installations up to the point the office was last operational and accessible. This aspect will be subject to when the onsite assessment can be followed up. Also check that your annual penetration testing and monthly vulnerability scanning reports are current. If you have non-English speaking technical staff, you should have access to an interpreter just as you would do for an onsite assessment.
Wylie: One thing many vendors don’t realize going into a TPN assessment is that during a pandemic, it’s likely they are operating in their Business Continuity Plan (BCP) and the assessor will be reviewing security controls as a point-in-time snapshot, which means if remote access security controls do not align with the MPA Content Security Best Practices, the vendor may have a report with more remediation items than they would with their normal operations.
Bourne: You are not going to get off lightly with remote audit. Just because we don’t make it onsite doesn’t mean a facility audit is going to be ‘audit lite.’ The assessment process is basically the same: we still rigorously examine a facility’s security posture. Probably the main thing to impart is that an assessment is voluntary and that a facility doesn’t have to undertake it if it’s too burdensome, given the current circumstances. From an assessment process perspective, we have our procedures in place – so dealing with facilities using modern communications tools is a snap (G Suite, O365, Slack, WebEx, Zoom, Skype, Box, Digital Pigeon etc. etc.).
TPN: What are the most crucial check-offs content owners are looking for when it comes to a TPN assessment in the remote arena?
Bourne: Content owners are looking for high levels of accountability and discipline from their assessors and facilities alike, from a cyber-risk mitigation perspective. Content owners want a viable, vibrant and secure M&E industry to outsource work to.
Wylie: Content owners don’t want vendors exposing content to the internet or the ability to access content in an insecure manner. DS-3.2 in the MPA Content Security Best Practices Common Guidelines discusses best practices around remote access. Additionally, some content owners have expanded on DS-3.2 and have their own approved methods for access. It’s best to have a dialog with content owners and understand what risk is acceptable to them.
Gilliat-Smith: As with an onsite assessment, it remains essential to document evidence that pertains to the content on the production network being appropriately protected from theft, non-malicious or malicious distribution or denial of access. The content owners will be looking for the same assurance from the remote assessment process to ensure their risk level objectives are met, thus able to award work to the vendor.
MPA-based remote access controls and remote-work security guidelines must be followed, as this is a key area the assessor will focus on. Key items include remote access to the production network, appropriate user access controls and security authentication methods, being disconnected to the internet while working on content, wired connections, blinds so that screens are hidden from public view, use of bastion hosts and so on.
Issuing NDAs to all members of a household might sound excessive, but if you are working in an open space where people can see content, you need to ensure they adhere to confidentiality policies and observe appropriate security protocols. Post-COVID many people may continue to work in this way.
TPN: In your opinion, what are some of the biggest security issues both vendors and content owners need to be on the lookout today during this new remote-work reality?
Wylie: Remote work has virtually caused network defenses to vanish. An employee may have WiFi without a password or they may have an already compromised computer on their home network. It’s difficult for IT and security teams to secure employee’s home networks. We’ve seen companies send their workers home, only to realize some employees’ home networks were not secure … essentially and unintentionally putting their work computers directly into the public internet. Quickly, we detected attacks from around the world and had to isolate the user’s computers stopping further attacks.
Gilliat-Smith: With the current mindset of implementing remote working applications to resume operations as quickly as possible, the biggest threat is malware, ransomware, etc. being injected into your network only to be discovered months or years later, potentially leading to future attacks and hacks.
Remote desktop applications and some video conferencing systems like Zoom have had recent reported vulnerabilities, and even MS Teams has had to issue a security patch [during the pandemic]. Always ensure a meeting ID or password is required for a meeting, and refrain from discussing or disclosing sensitive content through the application’s chat function.
Using unsecure personal IT equipment for work-related handling of client information, assets and content. Home network gateway routers and workstations that have not had the appropriate baseline hardening applied are prime candidates for attacks. Usage of unsecure file transfer protocols, hardware or web-based file transfer services to distribute sensitive information or content. It is imperative that RHW operations still adhere to secure asset handling policies and procedures.
Disclosure of sensitive content or information on social media sites. It is imperative employees, and household members, adhere to industry standard, corporate, and client confidentiality and acceptable use policies. Username and password sharing. Access and authentication controls must be tied to a corporate domain as this is a prime area where ‘accidents can happen.’
Bourne: From a content owner standpoint, it would be ensuring that facilities have the technical wherewithal to deploy secure work from home solutions and not compromise on content security. I think it will be the new normal for the industry. The industry needs to move to a permanently decentralized production model. This is primarily to reduce risk and cost. From a vendor standpoint, you will see an accelerated march toward cloud leveraging decentralized and disruptive technology and staffing models.
We need to engender an implicit creative human trust chain. In a decentralized model, people have to be able to trust one another and work together. Shows still need to be delivered, and need to be delivered on time. What I’ve noticed across the industry is how much it has banded together to help each and every one out over the last three months.
From the smallest facility to the largest. Empathy and common goals are great motivators. Maintaining that will probably be the biggest risk. What happens when we are asked to go back to the way it used to be? Will we? I think not.