DATA



Are we fit for cyberwar? (part 2 of 3)

Many cyberattacks of the recent years were related to the media industry.

3. The Culture of Media

There is a commonly expressed caricature of the producer as a dizzy headed creative who cares only for their art and nothing for security. Production teams are frequently portrayed almost like the enemy within – the rogue agents who will ensure even the best laid security plans come unstuck.

Some of our experts work directly in production, and several others routinely work with creative teams. The reports of their experiences appear at first glance to do little to dispel the caricature. But on closer examination what our experts are actually describing is a creative mind that is almost pre-programmed to resist corporate security initiatives.

“Production teams are some of the most resourceful people I’ve ever met – and that usually involves being extremely resourceful at getting around any obstructions in their own way. You can talk to production teams and have a great conversation about how important and valuable their content is. But if you tell them they can only stick it on encrypted drives or in a dedicated cloud, the first thing they will do is go and send it over the Internet.”

“From a security person’s perspective, the most challenging users we have are the creative folk. If there’s anyone that can circumvent a platform, find a way around something, ignore security rules, they’re the ones. What they generally argue is that if you don’t allow me to do this I can’t be creative and therefore I can’t generate content and revenue. When you have a user base of 25,000 people, and most are creative, you have a problem, because every single system you’re implementing they’re seeking creative ways to get around. You’re playing chess against both hackers and your own users on a daily basis.”

As one of our experts observed, however, security teams may be their own worst enemy. There is an instinct among technologists to make systems more complicated – at the very time when producers are discovering they can do more things more simply, whether it’s buying high quality production tools off the shelf, or using consumer-friendly cloud services.

“Speak to people in plain English so that they feel they understand what they need to protect, and how to do it in the simplest way. The fact is, if someone is collecting contestant data for a major entertainment show, they’re not going to want that data to go missing. What chance do they have of working on that show again if it does? One of the controls we often forget we have in the creative industry is that it is populated by freelancers, and it’s bloody hard to get into. Once you’ve made it in, you don’t want to be the source of the content leak that means you probably won’t work again. It’s then up to security experts to understand the life cycle of how content is produced, from idea to screen, and to make things easy and transparent for these creative individuals.”

Producers are hired to produce. And the need to ensure their content is secure is just one of a whole series of pressures and constraints that come with trying to create high quality content, usually in difficult circumstances, and almost invariably against the clock.

“Our whole purpose is to create content – that is our primary focus, not cybersecurity. So we do give security thought, but budgets and schedules are very tight. A director already has a risk assessment, a call sheet, and a limited number of hours to get their content out. Then add cybersecurity to the mix, and it would send them over the edge. It’s our job to protect creative teams from that.”

What such protection means in practice is that it is often those who manage creative teams that take responsibility for putting the necessary safeguards in place.

“We do take security very seriously. We have really robust internal procedures around password protocols, and firewalls. We don’t let people plug laptops into our networks. We encrypt flash drives, we password protect, we have authorisation levels on data.”

In practice the greatest threats faced by many production teams happen outside the office – on location. Out in the field teams may face real, physical threats both to them personally and their data.

“Our priority is to risk assess a production to make sure the crew and contributors are safe. When we send a team to a hostile environment we’ll give them a brand new laptop with minimum data on it. And then we’ll work with intelligence companies and risk assessors to make sure we’re doing the best thing for that environment.”

The irony is that experience gained from working in such risky environments may make production teams more aware than people from other industries of the risks outside the workplace.

“Every sector does have people who put their business at risk. Even the financial sector could do better around security: try travelling in business class and you will be able to acquire a lot of share dealing knowledge just by looking at people’s laptops. Go to the city on a Friday at seven o’clock, after people have had a few beers, and you’ll get plenty of information on deals being made.”

Related Articles: