GRC: Cybersecurity governance, risk and compliance

Media and entertainment organisations are particularly susceptible to cyber attacks and data breaches. Groundwire Security founder, owner and CEO James Bourne outlines steps you can take to protect your business. 

You have all heard about cybersecurity, right? It pops up in the news or on social media regularly. Another business or organisation has been hacked, and their confidential information, client and employee data has been leaked. Clearly, cybersecurity is a big deal. 

No business is immune from cyber attacks or breaches. However, media and entertainment (M&E) companies are particularly susceptible for various reasons, including short production timelines, generally relaxed security, large production budgets, and high-value content.

So how does cybersecurity apply to you, your projects or your crew? How is it going to affect your production or facility? Will you go broke implementing cybersecurity protections? What does being “hacked” really mean?

Hopefully this article will answer those questions and give you a few pointers on how to go about implementing cybersecurity in your organisation. 

Let’s get started with a definition. The US Cybersecurity and Infrastructure Security Agency (CISA) defines cybersecurity in its simplest form as art (high art even!): “Cybersecurity is the art of protecting networks, devices and data from unauthorised access or criminal use. It’s the art of maintaining information confidentiality, integrity and availability.”

Every organisation involved in M&E is dependent on technology, irrespective of whether it’s a small VFX facility or a large studio. Therefore, every organisation needs to understand the risks involved in operating and using technology. If you’re a facility owner or head of production, you need to ask yourself questions such as: Does my business, facility, or production, fully understand the technology in use, the risks involved, and the consequences of the misuse or abuse of those systems? Can I afford the loss of confidential information or content? Can my business afford to pay a ransom? Can my business afford to have its reputation tarnished for not taking cybersecurity seriously? What would my clients think? Would they ever want to work with my facility again if it was compromised?

Now, this might all sound dramatic and alarmist, but the risks are genuine.

In March 2021, the Nine Network suffered a cyber attack. It was the most significant cyberattack on a media company in Australia’s history. The attack brought down their entire live broadcast and corporate news production systems for over 24 hours. Employees were forced to work from home while the company mopped up. The recovery process took weeks. Industry experts identified MedusaLocker Ransomware as a Service (RaaS) as the culprit.

How could this happen? The specifics have never been publicly disclosed, but it would appear that “state actors” infiltrated Nine’s networks, allowing the ransomware’s detonation on their production networks. Let’s be crystal clear: this was a targeted criminal attack designed intentionally to disrupt Nine’s newsgathering and newsmaking operations severely. The goal was to cause maximum damage and extract a ransom – a fee paid to the hackers to decrypt Nine’s files. Nine eventually recovered their systems and did not pay the ransom. Nine were never able to identify the actual attackers. Nevertheless, the attack made national and international news headlines and forced Nine to seek help from the Federal Government’s Australian Signals Directorate, which assists in overseeing the nation’s critical infrastructure.

‘Spider-Man: No Way Home’ (Photo courtesy Courtesy of Sony Pictures. ©2021 CTMG. All Rights Reserved. MARVEL and all related character names: © & ™ 2021 MARVEL)

In August, a version of the Spider-Man: No Way Home trailer was leaked online, which Sony tried fruitlessly to remove. Imagine that your production company was responsible for delivering that specific pre-theatrical content? How would you explain to Sony how that happened? How would you explain that to your other clients when they found out? What would happen if Sony sued your business for breach of contract as a result?

“With public-facing platforms being the centre of business for much of the media and entertainment industry, companies in this space are uniquely vulnerable to cyber threats from hackers” – ZeroFOX Media & Entertainment Digital Threat Report, 2020

M&E is particularly vulnerable by virtue of its high profile. Productions produce desirable, high value, sensitive content ripe for exploitation (i.e. piracy/illegal sharing and subsequent monetisation). In addition, major motion picture production budgets can be large, while actors and directors are often high profile and often wealthy individuals. These factors make for clear extortion targets.

Cleaning up from cyber incursion also presents a whole raft of issues and costs, whether it be loss of productivity due to widespread facility disruption, having to pay specialists to help in the recovery process or being forced to pay a ransom.

The good news is that the M&E industry has been working tirelessly over the last decade (especially since the Sony Pictures hack in 2014) to assist facilities in minimising production risks from a technological standpoint. Two industry associations offer free information technology security and risk mitigation cybersecurity “frameworks” – that being the Motion Picture Association (MPA) and the Content Delivery and Security Association (CDSA), representing the bulk of the major US and European studios. 

A cybersecurity framework is a collection of best practices that a facility should follow to manage its cybersecurity risk. The MPA and CDSA offer ratified frameworks designed to assist you in measuring risk in a meaningful way and offering “controls” or defences that your facility can use to mitigate risk. The controls are separated into logical topic areas, including facility governance, physical facility security, digital security, secure content handling and application and cloud security and offer implementation guidance.

So how do you get started in implementing your facility’s cybersecurity programme? 

The first step is to understand the concepts of cybersecurity governance, risk and compliance (GRC). 

Cybersecurity governance is your organisation’s strategy to protect its information assets and IT infrastructure from cyberattacks or data breaches. This typically manifests itself in standards and policies, as well as committees or working groups to oversee their successful implementation in your business. Cybersecurity risk is the process of calculating the probability of exposure and size of loss from a cyber-attack or data breach. Risk assessments are typically used to determine the likelihood and magnitude of risk and loss, and what defences should be put in place to protect information and assets. This selection of defences is called “treating” the risk. Cybersecurity compliance is the process of determining whether your cybersecurity defences are robust enough to minimise or eliminate cyber attacks or breaches. Compliance is usually tested using a series of passive techniques, including cybersecurity and content workflow audits, drills and tabletop exercises and active techniques such as penetration tests, social engineering testing and vulnerability assessments.

The next steps are to form the teams in your organisation that will be responsible for managing or implementing cybersecurity. These teams would typically choose a relevant information security management system (ISMS) framework, such as the MPA Content Security Best Practices or CDSA App and Cloud Security Control Framework, for implementation. The teams would also typically define and establish human resources, implementation and technology budgets. You might need to get some professional advice from your IT team, vendor, the content owner or cybersecurity specialist regarding setting up and maintaining the ISMS. After you have spent some time preparing and rolling out your ISMS implementation, it’s a good idea to liaise with your clients or content owner security teams (e.g. Netflix, Disney etc.) to ensure your implementation is appropriate and robust. It’s also worthwhile pointing out that maintaining the ISMS is an ongoing business activity. Therefore, it needs continual review and tweaking.

In our next instalment, we will look at production challenges and risks in the era of COVID, especially in relation to remote working and distributed content workflows.


A culture shift

  • Alex Timbs, business development and alliances manager – media and entertainment, Dell Technologies.
  • The past couple of years have brought a great deal of evolution in media workflows. While many new processes offer long-term value, some have been implemented rapidly and a little haphazardly. For example, during the pandemic, many companies were forced to respond quickly to restrictive policies associated with remote workforces, often cutting corners to retain business productivity. 

    However, according to a recent IABM survey, security is back as a top-three business consideration, recovering from a significant drop in 2020. This indicates that media companies are once again prioritising the protection of content and associated media workflows. But there is still a long way to go. 

    Another survey commissioned by Hiscox, an insurance firm in partnership with Forrester Consulting, found that over half of M&E firms experienced three or more cyber attacks over the last 12 months. This is concerning but not unexpected, as the industry creates and distributes highly desirable products. What is concerning, however, is that in the same survey, 79 per cent stated they were confident in their cybersecurity strategy, despite apparent risks. 

    Our Media and Entertainment team at Dell works every day with companies around the world, giving us a first-hand view of unfortunate situations that, in many instances, have nothing to do with underlying technologies. 

    In one example, a customer lost a substantial sum of money when paying a supplier due to poor email hygiene. The CFO’s email was breached via a phishing attack, as the customer used O365 with weak passwords and no multifactor authentication. Bad actors monitored the account for months and injected false banking details into emails about high-end equipment purchases. When the customer attempted to pay their supplier, they paid directly into the bad actor’s bank account! The mispayment wasn’t noticed until a month later when the vendor called the customer asking why they had not remitted payment. Ultimately, the money was completely unrecoverable. What’s worse, the business had previously engaged  third party cybersecurity consulting to assess their security posture, but much of the advice had been dismissed as it was seen as too hard to implement, or not needed.

    What went wrong here? 

    • No email system governance  –  no authority specifying how email systems should be managed
    • No checks and balances on payments – lack of process, controls, or checks and balances in the accounting processes before making a payment over certain thresholds to offshore accounts
    • No proactive email protections
    • Ignored all professional advice
    • Didn’t understand the financial risks associated with the use of the technology
    • Didn’t train staff in security awareness
    • Didn’t enforce strong passwords
    • Didn’t enforce multifactor controls for accounts

    In this example, much of the business risk didn’t come from a technology gap but rather from a culture lacking security awareness. Cybersecurity goes beyond just deploying the right tools and requires a culture shift of awareness and good governance, which doesn’t require a significant capital investment. There are a range of security best practices, including the industry-focused MPA and CDSA frameworks, which area great place to get started.