Adam Krentzman is the VP, Strategic Planning/US for Fortium (www.fortiumtech.com). The
Bridgend, UK-based company is a provider of digital content protection solutions for film, entertainment and broadcast industries. Here, he looks at issues facing content security.
Everyone knows about the threat of piracy and the severe financial consequences that result from a leak. More recently we have seen the growth of cybercrime attacks with companies being held to ransom through content theft and ransomware attacks. There are plenty of scary stories about terrorism and cybercrime so it’s good that there is greater awareness about these issues. Over the last few years, companies have adopted more stringent security such as physical ID checks, cameras, locks and secure log-ins. Studios conduct far-reaching security audits at the facilities that work for them, which forces the pace of change. Fingerprinting, watermarking and encryption have all become more widely used.
Locking your front door is all very well but if the back doors and windows are left open then there’s a problem and this is what can happen in our industry. Some workflows are extremely well-protected and others aren’t protected at all. Encryption “at-rest” and “in-motion” have long been mandated by MPAA guidelines, but surprisingly few companies encrypt their pre-release content while it’s in post-production which means it’s vulnerable.
To fully protect a computer, it would need to be disconnected, switched off, placed in metal box and locked in a room. That would make it safe, but also useless. Today’s media and entertainment industry is built on collaborative workflows across many external organizations and people, consequently with many inherent points of vulnerability. Services such as localization, sound and picture editing (often through freelancers), promotional marketing and distribution, are regularly undertaken by third parties, any one of whose workflows could potentially make a breach more likely.
When I talk with people about security, I often hear, “We don’t have it in our budget,” “We’re too small,” “It’s not up to me.” No one has security in their budget and it’s no one’s responsibility until you are the victim of a hack. Then, it’s amazing how quickly a budget is made available and then it becomes everyone’s responsibility. Companies need to adopt strategies and procedures that reduce risk. And it must be a top-down approach. Lower-level staff often lack the decision making and budgetary authority to set company-wide policy believing, “That’s the board’s job.”
Executives can avoid the risk of cybercrime by assuming greater responsibility for security policy. In the entertainment industry, studios could limit the risk of piracy and ransomware by mandating stronger and more practical security protocols. They could, for example, make funding for each film or TV production contingent on having a line item of security expenditure for measures that will be enforced. Producers and directors, who often have autonomy in running their projects, would be required to make itemized security a part of the package.
The challenge in post-production is how to make encryption compatible with professional editing platforms like Pro Tools, Media Composer, Final Cut and Premier, as well as different file formats from QuickTime and Pro Res through to MXF. Fortium, in collaboration with NBC Universal, came up with the answer in MediaSeal® which is a file and OS agnostic encryption-at-rest solution using access control by individual file and user. MediaSeal software keeps data encrypted while it’s being worked on or stored. If protected files are accidentally distributed or hacked the content cannot be leaked. It’s inexpensive and you pay as you go. Many of the blockbuster movies and TV shows are already using it.
According to a study by NCC Group, only 13 percent of CEOs are directly responsible for managing their company’s cyber risk. When it gets to 50 percent then we will know security is being treated more seriously from the top. There are a range of practical measures that help reduce the risk of cybercrime within an organization. Among the most important is the education, training and awareness of employees, including executives and the board.
Referring to one of the latest ransomware attacks, information security firm Sophos claims, “Thought WannaCry was bad? You ain't seen nothing yet.” They forecast that the perpetrators’ success will embolden others and ransomware will get much worse in 2018. The WannaCry ransomware attack that appeared last May infected more than 230,000 computers worldwide. The subsequent Petya and Bad Rabbit ransomware attacks produced similar consequences. Criminals who write ransomware and other malicious software are now operating what amounts to profitable franchise businesses, selling their source code to others with criminal intent. They have no lack of buyers because cyber-crime pays. Some 40% of businesses admit to paying ‘affordable’ ransoms to avoid costly downtime and negative publicity.
It’s time for action rather than inertia and the sooner we face up to budgeting the time and cost of comprehensive preventative security measures the less our risk is going to be. We forecast there will be plenty more security breaches in 2018 but less so for film and TV if more proactive measures are taken.