The Top Four Cybersecurity Tips for Global Media Teams
Having a strong cybersecurity posture is at the top of most companies’ lists. But for organisations in media and entertainment (M&E), the threat from nefarious actors can be existential.
That’s because most media companies’ stock-in-trade is their intellectual property (IP) – which must be defended at all costs. They are also highly public facing, making the potential reputational and financial fallout of a data breach even more severe.
But there are plenty of ways M&E firms can protect their IP. Here are the top four.
1. Enforce Secure Remote Workflows
The M&E business has gone largely remote: A standard workflow now involves a set in a remote location, a video editor in New York, a visual effects house in LA, a colourist in Toronto, and a client in the UK. That means long chains of custody for media assets and plenty of potential exposure to insecure systems and devices.
M&E firms can protect endpoints through cloud offerings such as desktop-as-a-service (DaaS), virtual desktop infrastructure (VDI), or PC over IP (PCoIP). These technologies allow users to securely access their files from any endpoint while providing virtual desktop environments that aren’t tied to a physical workstation.
Other ways M&E firms can enforce secure remote workflows include:
- Securing personal and mobile devices with strong passwords and remote tracking/wiping software such as mobile device management (MDM) tools for remote enforcement.
- Establishing zero-trust policies for remote devices using solutions such as CloudFlare ZTNA or Zscaler.
- Ensuring collaborators use updated WPA3 routers and other secure hardware and secure their WiFi networks with network encryption.
- Keeping all hardware and software (including anti-malware software) fully patched and up to date.
- Using visible and forensic watermarking and recording chains of custody to track media assets and identify potential copyright infringement.
But ensuring secure remote workflows isn’t just about adding as many security tools as possible. Organisations must balance a strong security posture with not introducing too much friction for workers – otherwise, productivity suffers (and employees will probably come up with insecure workarounds in response to get things done).
2. Conduct Regular Security Awareness Training
Cybersecurity experts love to say that people are the weakest link in any cybersecurity chain because in most cases, it’s true. No matter how savvy we think we are, all it takes is one second of weakness or distraction to click on a bad link – and potentially allow bad actors to infect your system with malware or even gain control.
Security awareness training helps educate your team members about what to do – and what not to do – when conducting their day-to-day work. It educates your team on how to spot potential phishing emails, suspicious links or attachments, or spoof websites and texts.
Security training helps educate users on the importance of using strong passwords (and not re-using passwords for multiple applications). Companies themselves should always enforce the use of strong passwords.
Training your employees, however, can’t be a set-and-forget activity. Regular, ongoing training – yearly is good, multiple times per year is better – combined with unannounced phishing or social engineering tests of your employees can go a long way in keeping them prepared.
3. Ensure Vendor Security
Media companies typically work with several vendors, but recent research has shown that three in 10 media vendors are susceptible to a cyberattack (twice the average of companies in other verticals).
Companies can harden their perimeters and security posture as much as possible, but if their vendors don’t do the same, they could still make themselves vulnerable.
That means M&E firms can – and often do – leave themselves open to supply chain-style attacks by not ensuring their vendors have a strong security posture.
When evaluating software vendors who will become part of your IP chain of custody, ensure you select those with strong encryption such as Advanced Encryption Standard (AES)-256 and Transport Layer Security (TLS) 1.2.
All vendors should have a strong security posture featuring user authentication tools such as two-factor or multi-factor authentication (2FA/MFA), along with single-sign on (SSO) with SAML-based authentication. Vendors should follow the principle of least privilege, which ensures employees or other stakeholders only have the access required for that user to do their job, and nothing more.
It’s also important for vendors to show they’re compliant with data security-related regulatory standards such as SOC 2 and ISO 27001. In the M&E space in particular– and to be able to do business with major studios – vendors should be a verified member of the Motion Picture Association (MPA)’s Trusted Partner Network (TPN). Being part of TPN’s vendor roster shows the vendor has undergone a rigorous third-party security assessment of their security management systems and content handling processes by a third-party, TPN-accredited assessor.
4. Use the Cloud Instead of Self-Hosted/On-Prem
One of the most effective ways M&E companies can stay secure is to use the cloud instead of self-hosted or on-premises services. While some organisations prefer self-hosted setups because of the perceived cost of the cloud, it’s worth noting the former is actually a lot more costly for most companies.
That’s not just because of the significant CapEx required at the outset of any self-hosted system, either (and whenever hardware needs replacing or upgrading). It’s also because of the hidden total cost of ownership that includes administration, maintenance, monitoring, and productivity losses during potential outages.
While cloud technology can be expensive if organisations migrate using a lift-and-shift strategy, a cloud-native migration using applications and payloads tailored to a cloud environment significantly reduces expenditures. These systems can also scale up or down easily without much human intervention or overhead costs.
The cloud: More secure than self-hosted
While some organisations don’t trust cloud providers to keep their data secure, self-hosted systems come with notable security issues:
- Self-hosted systems must be patched and updated by your organisation, which often leads to long delays because of resource constraints.
- Self-hosted systems don’t come with standard enterprise-grade security tools, and must be configured, maintained, and upgraded by your IT staff.
- Any data breaches in a self-hosted system are your responsibility and you must deal with them yourself.
On top of this, any software application you use automatically adds third-party (and potentially malicious) code to any self-hosted ecosystem. This renders the security benefits of an on-prem or self-hosted system essentially moot.
Top-tier cloud services, on the other hand, come with enterprise-grade security tools out of the box. Because they manage the infrastructure for you, cloud services patch any vulnerability within minutes – so quickly, in fact, that most users don’t even realise patches or updates have been made.
Cloud services also have dedicated resources able to identify and remedy a vulnerability without shutting down your system (or without your staff having to fix it themselves).
Improving Cybersecurity For M&E Businesses
When it comes to the M&E business, security is vital in order to defend and ensure the integrity of unreleased IP. Such a highly public-facing industry is especially at risk of significant financial and reputational damages in the event of a cyberattack or data breach.
But some organisations continue to put themselves at risk thanks to a lack of diligence securing remote workflows, their use of insecure vendors, a lack of security awareness among staff, and the security issues surrounding self-hosted systems.
By following the advice above and using secure cloud services, M&E businesses can keep their and their clients’ IP secure – and continue to keep the public entertained while they’re at it.