The visibility and larger-than-life profiles of entertainment companies make them an attractive target for a diverse group of adversaries, each with their own motivations and methods.

Insiders, content pirates, hacktivists, and state-sponsored attackers — all of these threats pose a tangible risk to the financial, legal and reputational standing of entertainment companies.

In the entertainment industry, the valuables can be intellectual property (IP), such as pre-release content or scripts, a broadcast feed, confidential marketing plans and financial information about entertainment projects, identifying information about talent and employees, sensitive emails, and the ability to operate as a business by using computers.

Hackers’ motives may be economic, but they can also be political, personal or simply for bragging rights. When a hacker’s target is information, his or her goal can be stealing, deleting, corrupting or denying access to that data. And the methods of hacking are ever-evolving.

The motives and means of entertainment industry hacking are exemplified by the Sony hack in 2014, considered the worst in Hollywood history, which brought down Sony’s entire network for weeks and leaked highly sensitive information; the Larson Studios hack in 2017, which resulted in the release by hackers of 10 new episodes of Orange Is the New Black; and the HBO hack in 2017 that resulted in the unauthorized release of five draft Game of Thrones scripts and unaired episodes of shows such as Ballers, Curb Your Enthusiasm, Barry, The Deuce and Insecure, as well as personal information about Game of Thrones actors, internal HBO documents and administrator passwords.

Vulnerabilities

Even entertainment companies with rigorous security protocols are vulnerable to attacks. Sensitive data can be compromised as a result of internal sources, such as an aggrieved, untrained or careless employee, as well as external sources.

Entertainment content is particularly vulnerable due to the fact that there are many vendors and third parties who work on entertainment content in post-production, such as editing, sound editing, special effects, musical scores, market research screenings, and development of marketing collateral and trailers.

There are numerous and ever-growing methods hackers use to access data, including the following:

  • Keylogger: software that records the key sequence and strokes of your keyboard into a log file on your machine, including your personal email IDs and passwords.
  • Denial of service (DoS\DDoS) attack: a technique to take down a site or server by flooding that site or server with a lot of traffic that the server is unable to process all the requests in the real time and crashes.
  • Fake WAP: software that fakes a wireless access point. This WAP connects to the official public place WAP. Once you get connected to the fake WAP, a hacker can access your data.
  • Eavesdropping: a hacker monitors the computer systems and networks to gain unwanted Information.
  • Phishing: a hacker replicates the most-accessed sites and traps the victim by sending that spoofed link. Once the victim tries to login or enter some data, the hacker gets that private information of the target victim using the Trojan running on the fake site.
  • Virus or trojans: malicious software programs installed in the victim’s system which send the victim’s data to the hacker.

Preventive measures

Typically, the means to protect data from hackers involves securing the systems in which content is held, transferred and used. This system approach requires performing a privacy risk assessment of the security systems, drafting a thorough pre-breach incident response plan and rigorous employee training.

A pre-breach incident response plan should include the following components:

  • Establish a response framework. An effective incident response plan contains a framework for action where key decisions are made ahead of time and do not have to be made under pressure.
  • Publish incident notification procedures. This information should be published for all personnel, including employees and contractors. It can also be part of new hire orientation and routine employee awareness activities.


Cyber resilience
, which requires designing security into each specific content item, should also be employed, so that every step of storage, use and transfer of that content will be protected.

Here are seven concrete steps towards cyber resilience that entertainment companies should consider to strengthen their security against threats:

  1. Ensure executive governance: Resilience must begin with a vision and budget set by executive management and accountability established at the board or audit committee level.
  2. Shore up databases: Serious proactive measures need to be taken at the database level. One principal form of attack against databases is exploiting unpatched vulnerabilities in web and application servers that sit in front of those databases.
  3. Shelter pre-release content: Build layered pre-release security programs and have multi-level protection policies, such as establishing tight chains of custody on copies of content, using digital rights management technologies and using secure cloud portals with dual factor authentication.
  4. Risk-review controversial content: Establish a risk review before controversial content is green-lighted.
  5. Protect live broadcasts: Employ a higher degree of segregation between the corporate and production networks, as attackers typically gain a foothold in the corporate network and then try to move laterally into the production network.
  6. Safeguard email: Employ email protocols and restrictions to prevent interception of valuable intellectual property, trade secrets or personal identifiable information.
  7. Expand insider risk programs.


What to do if a breach occurs

  • Validate: Examine the initial incident information and available logs to confirm that a breach of sensitive data has occurred.
  • Manage: Carefully document all investigation and mitigation efforts, including interviews with key personnel. Seek advice from your legal counsel on the approved methods for protecting digital evidence.
  • Investigate: Assemble your incident team and investigate the breach. Continue to monitor the status of the breach.
  • Mitigate: Act quickly to reduce the impact as much as possible. Identify and secure all affected data and devices.
  • Notify: If your customers’ information is exposed, affected individuals should be notified as soon as possible and within the time frame of the federal, state and local laws.
  • Debrief: Always hold a “lessons learned” meeting after the recovery phase to refine your data security program and breach response strategy.


A top-down approach


Entertainment companies deliver content more efficiently than ever before and reach audiences in places that were unimaginable just a few years ago. But the challenges are proliferating.

Cyberattackers can exist anywhere, whether internally or on the other side of the world. Total impenetrability is not achievable, but thorough security protocols may deter hackers and protect a company from liability for mismanagement of data.

Effective management of cyber risks requires a commitment to resilience that begins at the top of the organization.