Embedding cybersecurity into day-to-day operations

In the third and final article in this cybersecurity series, Groundwire Security CEO James Bourne outlines the link between security and safety and explains how you can bake security into facility operations, productions and workflows.

Every so often during on set, everything that can go wrong, does go wrong. Sometimes this can even lead to tragic, but avoidable incidents, including injury and death.

On the surface you might think: What do on-set incidents have to do with cybersecurity? In fact: everything. Cybersecurity is not only about computers and networks. One of the basic tenets of cybersecurity is protecting human life.

In our industry, failures to establish and follow protocols can lead to loss of human life, especially when stunts or firearms are involved. Tragic events provide the most extreme examples from which lessons can be applied to facility security operations.

Many factors can contribute to on-set incidents including:

  • Productions takes place without key safety experts available
  • Safety protocols are not included in call sheets
  • Safety protocols are not followed rigorously
  • A crew that is fatigued from long days
  • Existing safety concerns have not been addressed
  • Dangerous items such as weapons and ammunition are not organised and stored securely
  • Safety equipment is subpar or completely lacking.

Any of these factors can lead to worst-case scenarios, such as the tragic incidents in 2021 on the set of Rust and in 1994 on the set of The Crow. These tragedies demonstrate the importance of security and safety and the consequences if they are overlooked. Taking shortcuts and not understanding the risks involved makes it possible to not only jeopardise a production but to also risk the health and safety of cast and crew.

The same principles apply to cybersecurity and content handling.

To mitigate the on-set factors listed above, security and safety should be a top-down endeavour that is applied consistently. I’ve audited facilities where they were initiated from the bottom up. It doesn’t work. As the facility owner or manager, you must engender a culture of security and safety, and be fully accountable for any untoward outcome. I’ve witnessed first-hand two incidents in VFX production in Australia where safety was overlooked:

  1. A facility dangerously overloaded its power protection systems. The power protection system exploded, sending molten copper flying through the walls, causing the facility to catch fire and the fire brigade to be called
  2. A member of the facilities team performed unauthorised cabling work, using inappropriate tools, stabbed themselves in the femoral artery, nearly bleeding out in a server room. We had to apply a tourniquet and rush the individual to the hospital.

The point is: You can’t stop accidents, but you can put mechanisms in place to minimise risk and protect the workforce. The two incidents cited above are examples of how taking shortcuts can result in disaster, including bodily harm and death. Both could also have easily been avoided. Cybersecurity controls are designed to protect against these types of incidents (e.g., power protection system testing and safe work environments). Management must mandate security and compliance while balancing the trade-offs: security vs. productivity, security vs. budget, and so forth.

Further, security awareness education is essential. Safety left in the hands of unqualified individuals can lead to disaster. You must train your staff appropriately, so that they fully understand cybersecurity and the consequences of poor cyber safety; whether it be on-set safety or education in the form of incident escalation, personal information protection, phishing, social engineering, or just plain old kilowatt, amps, and volts calculations for your infrastructure.

I recently audited a facility where the entire crew was trained monthly on emerging cybersecurity threats. The facility delivers pre-theatrical content that has been used in many of the top ten grossing films in the last five years. The company position was that it cannot let its guard down; content loss and facility disruption are not an option. Facility and content security starts and stops with the employees. Security is an integral part of their everyday operations, workflows, and culture. They measure and benchmark it. The owners of the facility request monthly reports detailing any incident.

I follow the job postings listed on an industry technical forum called Studio Sysadmins. I have yet to see a single job advertisement that explicitly requests knowledge of and exposure to cybersecurity practices. I believe it is a failing industry wide. After auditing numerous facilities in the last three years, I am still not convinced the industry takes cybersecurity seriously. It is seen more like a ‘tick box’ to be able to bid on work. This is unacceptable. Security awareness training should be mandated. Make it regular, innate, and integral to your business operations. Make it fun and grounded. Make it low friction. Engender a culture of safety and security in your business.

Facilities need to build balanced workflows based on the risks involved to allow security and safety mechanisms to function properly and thrive. When auditing, I have seen that it’s either feast or famine. Some facilities “get it” and design workflows and pipelines with security baked in and the users of those systems in mind. The risks are easily identified and measurable. These facilities make it easy to meet security and compliance requirements through training and education.

On the other hand, some facilities completely overlook any form of security. Others build excessively complex workflows or rely on antiquated systems that require the production crew to jump through unnecessary hoops that are eventually avoided or circumvented.

It’s imperative to build your workflows and pipelines based on security controls that are either industry-specific (e.g., MPA or CDSA) or internationally recognised (e.g., ISO/IEC 27001:2022 or NIST CSF). Ensure those controls are enforced, measurable and auditable. Choose a control framework and adopt it. Hire staff that are security savvy. Implement the controls as prescribed by your content owner. Protect your client’s work and your business’ reputation. Don’t be a victim.

With the previous points in mind, there are barriers to successfully implementing safety and security in your business. We will discuss three.

●          Management obliviousness and preoccupation. Some facilities I’ve audited view security as plain evil; it costs money and wastes time. These thought processes usually stem from a lack of education at a management level. On the other hand, many facility owners and managers are creatives at heart. They often don’t fully understand security and perhaps turn a blind eye or are preoccupied with getting productions out the door. A balance needs to be struck under these circumstances. As part of our audit processes, we seek evidence that management has committed to implementing an information security management system and is trained appropriately to deliver a functioning system back to the business. As mentioned previously, education is one of the main barriers to implementing functioning security frameworks. Choose a security management team made up of individuals who understand it and what it means to the business. Put the onus on them to deliver. Ensure the successful implementation of the security management system is reviewed regularly.

●          Security fatigue. Yes, the newspapers are full of “business X was hacked” articles. Yes, you have another Disney audit looming. Sure, the last two years of COVID lockdowns and restrictions have negatively affected your business. It’s hard to maintain a security posture when managing security is viewed negatively. At one Australian facility, I worked closely with the head of IT to try to turn security management into positive experience, by collaborating closely with the content owner’s security management team and educating the internal teams. We chose to approach it as a learning exercise rather than a combative one. We leveraged what the content owner had to offer from a security implementation perspective. We implemented their architecture and followed their lead. We educated the business and those individuals within it that security should not be taken lightly. We built processes to expedite audits and manage the internal security programs.

●          Security operations (or the lack thereof). Many facilities don’t have a security operations team, or the function in the business is poorly defined. A security operations team is a centralised function within a facility employing people, processes, and technology to continuously monitor and improve the facility’s security posture while preventing, detecting, analysing, and responding to security incidents. It’s imperative to implement security operations in some form. When a security incident occurs – and yes, it will occur – you need to ensure there are people and processes in place to handle it, even if that means deferring to the expertise of a third-party security operations team managed by your client or content owner.

In summary, security should be an integral part of your business operations. Apply it evenly and consistently. Ensure the business leads security initiatives. Don’t try and “boil the ocean” by attempting to implement all facets simultaneously. Letting your guard down can have significant untoward consequences, so seek expert advice from qualified companies, individuals, clients, or your content owners on how to implement a functioning security management system satisfactorily. Finally, ensure that cybersecurity is one of the foundational drivers of your facility’s daily operations.


Managing psychosocial risk remotely

Psychologists and social scientists may seem a long way from having anything to do with cybersecurity. However, understanding user behaviour can play an essential role in establishing proactive cyber defences in your business.

Where and how we work shapes performance, attitudes, and well‐being. Remote working has introduced new and dynamic risk factors when it comes to psychological workplace safety.

Employee stressors vary from person to person. For one employee, the restricted social interactions that come with a remote working environment might have the most significant impact on their wellbeing, yet the restructuring of school hours might be more impactful for another. These sustained stressors, combined with remote workflows, have resulted in measurable elevated incidences of psychological disorders being reported globally. This can lead to reduced creativity and innovation, and also creates risk of cybersecurity fatigue, where the mental state is one of individual survival rather than proactive cyber mindfulness and awareness. In a recent survey by ClubCISO of its 500-strong chief security information officer membership, more than 60 per cent of respondents reported increased stress over the pandemic.

As mentioned in the accompanying article, protecting human life is the highest priority in any cybersecurity strategy. This includes treating the mental and physical risks within your human resource pool. Aside from the importance of maintaining the health and wellbeing of your employees, suppliers, and partners, managing the psychosocial risks associated with geo-distributed employees underpins the success of all other cyber initiatives. Be aware that virtual working environments can push cyber and IT professionals even further, as they carry the weight delivering the technology that underpins remote workflows.

Work‐home interference, ineffective communication, procrastination, loneliness, workload, and self‐discipline are just a few of the challenges remote working can create. Fostering employees’ resilience is vitally important moving forward. You don’t have to go it alone. As an example, Dell Technologies has dedicated M&E-focused resources, initiatives, and materials designed to make navigating content security and cyber governance easier.

Considering the human will enhance your ability to estimate the likelihood of attacks and potential cyber risks within your organisation, your suppliers, and even yourself. Understanding human nature, behaviour, and actions could be the difference between defending against or becoming the victim of a cybersecurity attack.

Alex Timbs, business development and alliances manager – media and entertainment, Dell Technologies.


Read the first article in this series, ‘GRC: Cybersecurity governance, risk and compliance’, and the second,Securely managing remote working and distributed workflows’.