Book publishers, movie distributors, TV producers, game developers, and newspaper publishers are just a few of the many businesses in the media and entertainment industry increasing their use of online services. Streaming services and the production of digital assets are the norm for media companies around the globe.
While the entertainment industry has quickly increased its use of online infrastructure to create, market, distribute, and sell intellectual property, it is behind the curve on cybersecurity. Media and entertainment companies can respond slowly to cyber incidents compared to businesses making up critical infrastructure in highly-regulated sectors, such as finance and healthcare. This lack of preparation can cost dearly financially, legally, and in terms of reputation.
This post explores the cyber risks of the entertainment industry and how media and entertainment businesses can reduce the risk of cybercrime with cybersecurity policies, procedures, and best practices.
Cyber Risks in the Entertainment Industry
Some of the top cyber risks threatening entertainment companies are industry-specific. However, many cyber threats affecting entertainment businesses are common to other businesses.
As is often the case, cybercrimes affecting the entertainment industry are largely financially motivated. Whatever the reason and source behind the cybercrime, entertainment companies often find themselves on the back foot when faced with a cyberattack.
One case is when cybercriminals hacked Disney+ accounts the moment Disney launched its online service, demonstrating how ill-prepared for a cyber incident they were and how organized hackers were by comparison.
Disney was neither prepared for the vast number of people demanding access to popular shows nor for the simultaneous data breach in which hackers changed many users’ passwords and sold or offered the hijacked accounts for free on the dark web. Customers severely criticized the company on social media, causing reputational damage that cannot be measured in lost revenue but can do lasting harm to a business.
The first step for entertainment businesses to protect themselves and their customers from cyber attacks is to understand the cyber risks most relevant to these businesses. Then they can strategize to build long-lasting, robust businesses people can enjoy and trust.
Web Portals and Data Theft
With its move to using more online portals and streaming services, the entertainment industry asks consumers to set up accounts and enter sensitive data on their websites, including credit card details and dates of birth.
Streaming and ticket sales are examples of the entertainment industry’s increasing internet use and, therefore, entertainment companies’ growing attack surfaces. These use cases expose the industry to more potential attacks where cybercriminals seek clients’ personal data.
As entertainment businesses cater to customers with the modern online customer experiences they expect, they add to their vulnerabilities. Cyber security threats online include using malware such as keyloggers or spyware with which hackers can determine the access credentials of customers or staff.
Hackers may then use this stolen information to achieve unauthorized access to restricted areas, to add credibility to phishing attempts, or to sell the information on the dark web.
This specific kind of malware is on the increase in all industries. It’s a significant risk for the entertainment industry because, as well as causing massive disruption, it also risks lost reputation and stolen intellectual property, which are crucial for media companies.
Third-Party and Supply Chain Risks
Media and entertainment supply chains have many moving parts. This includes a long list of vendors and other third parties that can pose significant security risks for entertainment businesses. A disruption to a long-tail supply chain like that of the entertainment industry can cause ripples far and wide.
The COVID-19 pandemic pushed many businesses into rapidly adopting remote working practices, but entertainment organizations often have an especially large number of people working remotely, especially creators.
Remote working creates many cybersecurity issues because it means unvetted personal devices accessing business networks. Unsecured or poorly secured endpoints, such as personal mobile phones and Internet of Things (IoT) devices, are vectors for malware infections and data breaches.
Leaked Content and Movie Pirating
Movie and TV businesses are particular targets for cybercriminals seeking to access unreleased content. They can distribute this, either for money or for free, on the internet via file-sharing servers. Cybercriminals may use phishing and spear phishing attempts, tricking staff into revealing their access credentials and allowing them to access restricted areas and release pirated content.
In 2017, a data breach at HBO led to many unreleased episodes being leaked, including episodes of Game of Thrones. Also in 2017, the Dark Overlord group released episodes of Orange is the New Black, despite receiving a $50,000 ransom payment.
Even if malicious threat actors don’t access unreleased content immediately, they can use illicitly gained access credentials to enter an unsegmented network and move laterally. On encountering other passworded systems, guessing or using bots may give them access to more sensitive and valuable information.
Entertainment content is also sometimes leaked by insiders. While not all these leaks are malicious, insider threat is a significant risk because they have privileged access to post-production processes of multi-million dollar movies and other valuable and desirable intellectual property.
Sabotage or Hacktivism
In 2015, a hack of Sony Pictures Entertainment was linked to malicious threat actors in North Korea. The hack caused about 100 terabytes of data to be erased and compromised sensitive data, including celebrity earning figures, social security numbers, and unreleased content.
The target was “The Interview,” an alternate-history movie about an assassination attempt on North Korean leader Kim Jong-un. The hack was linked to North Korea, demonstrating that hacktivism can be state-sponsored to limit access to controversial political messages in movies and music.
Leaked High-Profile Emails
Having personally identifiable information (PII) and personal details compromised can be devastating. Combined with celebrity status and high-profile content associated with popular figures or leading brands, the stakes can be far greater, as can the potential harm to individuals and businesses.
In addition to hacktivists making political statements, ransomware and threats to release sensitive information on public figures abound. Money is the typical motivation for such attacks.
The entertainment industry comprises numerous multi-billion dollar businesses and wealthy, high-profile figures who would wish to preserve their brand images and reputations. Consequently, there is no shortage of people for cybercriminals to attempt to manipulate and intimidate with well-placed and varied ransomware attacks.
Social Media Breaches
Celebrities and entertainment companies are increasingly using social media to engage their audiences. However, this provides another attack vector via which hackers can cause disruption.
Hackers can hijack social media accounts of high-profile individuals with many followers and use them to spread malware, fake news, or inappropriate and damaging content. Attacking the followers of famous people on social media can be a successful strategy for hackers, so hijacked accounts and subsequent social engineering activities are major risks.
Because entertainment businesses and celebrities invest a lot of time and money in controlling their brand image via social media, an attack here can damage their credibility.
Security Solutions for the Entertainment Industry
Fortunately for the entertainment industry, the C-suite is taking cyber threats seriously. This is good news because the impact and frequency of cyber attacks are increasing.
There are practical ways that entertainment businesses can improve their security postures by employing a cybersecurity strategy that:
- Assess and address immediate needs
- Remediate cyber risks and vulnerabilities
- Ensure future data protection through robust information security policies and procedures and regular testing
An excellent risk management process is the starting point for improving any business’s cybersecurity.
Through the component practices of risk management, an entertainment business will understand cyber risks that affect the industry, define its security posture within that cyber threat landscape, and then prioritize the protection of its assets according to the likelihood of various cyber incidents occurring and the potential damage of each.
Cybersecurity Training and Awareness
A business’s people can be a vulnerability or a key part of its cyber defense. It’s always best to have people engaged in cybersecurity issues and invested in their remediation.
Entertainment businesses can vastly reduce their risk of data breaches or content leaks if they prioritize cybersecurity awareness and training. Training initiatives are best implemented during onboarding and should continue throughout the employee lifecycle with regular training, seminars, information, and incentives.
Most of all, cybersecurity training for entertainment businesses should cover the following:
Without awareness training, entertainment industry workers are more vulnerable to various phishing attempts. Knowing how to identify spam and who to contact regarding suspicious communications can save organizations vast sums of money, time, and lost intellectual property.
Training staff and encouraging consumers to maintain secure, unique passwords that are hard to crack is a great investment. Password hygiene includes not sharing passwords with colleagues and updating them periodically.
Not Using Unsecure Wi-Fi Networks
Entertainment companies can help ensure data security by prioritizing endpoint security. With so many people involved in creative industries, often working remotely, ensuring that there is a minimum standard required will be helpful.
Cybercriminals are always on the lookout for hardware and software vulnerabilities to exploit. If a business has neglected to prioritize cybersecurity, it likely lacks the hardware and software updates that would remediate vulnerabilities.
Patching needs to be a documented policy and regular procedure throughout businesses in the entertainment industry, including personal devices used for work, whether or not they ever connect directly to the business network.
Third-Party Vendor Management
No business works in isolation. Entertainment businesses rely on multiple third-party vendors for the product or service life cycles, whether taking a console game from concept to the consumer or using a payment processor to handle credit card details in ticket sales.
Monitoring a business can be challenging. Monitoring a third party has further potential obstacles. However, businesses need to understand that their attack surfaces extend to their vendors, so monitoring them regularly is imperative to ensure data security.
Defining and documenting minimum contractual standards will help businesses work only with vendors prioritizing cybersecurity and maintaining security to an appropriate standard.
Continuous monitoring can prevent attacks that are common in the entertainment industry, including distributed denial of service attacks and the theft of digital assets and intellectual property. A continuous monitoring system can also keep track of employees to prevent or mitigate leaks from insiders, malicious or otherwise.
The movie, music, and gaming industries are at particular risk from leaks of unreleased content. They and other businesses can reduce this risk by severely limiting access to post-production content.
While many people are required to create content, they don’t all need access once their role is complete. Strict, monitored access control can help businesses avoid accidental and malicious leaks.
Access control can also help forensic investigators determine when and how a data breach occurred.
Multi-Factor Authentication (MFA)
A system that requires two or more authentication methods makes it harder for hackers to hijack accounts. MFA should be a factor in internal and client-facing systems. It’s a quick way for most businesses to enhance data security dramatically.
If content or other digital assets are intercepted or stolen from a hard drive or cloud storage, encryption makes it much harder for the cybercriminal to view the data. Because of the value of entertainment industry digital assets, they should all be encrypted where possible, in transit and at rest.
A backup system is essential for all businesses but might be prioritized for entertainment businesses, where digital assets can be incredibly valuable and targeted by cybercriminals.
The loss of intellectual property and digital content via data breaches and ransomware can be devastating. Backups are critical to minimizing business disruption and protecting intellectual property.
To ensure that a business can get back on its feet after a cyber attack or geographically specific disaster, such as a power outage, it’s a good idea to store a copy of critical files away from the primary data center.
Using cloud services introduces risk because the entertainment business must vet the cloud service provider, but the advantage is that backups can then be restored at any time from any location.
Incident Response Plan
Businesses with an incident response plan are more prepared for cyber incidents and can respond more quickly, minimizing business disruption, data loss, and reputation loss.
An incident response plan is a document that covers various cyber incidents, from the most likely and impactful to the least. It should explain who comprises the incident response team, their roles, and their responsibilities. Nonetheless, it should be written so anyone reading it can understand and follow the steps for dealing with each cyber incident.
An effective incident response plan requires rehearsal and regular updates to ensure it is always relevant to the evolving business and the rapidly changing cyber threat landscape in which it exists.