As the recent HBO hack demonstrates, the risk of cyber security incidents to studios is undeniable. This is the latest incident in an emerging trend of content hacking to hit our industry. It’s not hard to understand why content is a target. Those minutes are worth a huge amount, from time-invested, to box-office value, intellectual property and advertising revenue.
If someone has access to your content they have access to your most valuable asset, that your team has dedicated hours of work into creating and that gives you the edge over your competitors. So, what is piracy’s cost to the content community? Estimates vary widely but in the US they’ve seen numbers ranging from the $6.1 billion a year suggested by the MPAA and LEK Consulting to $20.5 billion annually in costs to the broader US economy, per a MPAA-commissioned study by the Institute for Policy Innovation in 2006.
So, how can the industry protect content?
It’s time for a rethink in how we approach our content security. While security is an issue that spans every part of the content lifecycle, the impact is greater the further up the supply chain it occurs. A single end user sharing a Netflix password costs the company £10 per month; a single download of pre-released content, such as "Orange Is the New Black," could cost millions.
It has been suggested that studios and post-production houses might consider taking their video assets offline, handling them on-site via closed networks and thus reducing the option of automation. This is an outdated approach which, aside from slowing down the production process, might only compound security problems. These include heightening the risk of human error and introducing additional touch-points to the process.
Instead, the content community must think in terms of rigorous security procedures that are drummed into personnel, backed up by an audit trail that logs every person and event that touches a video asset. Of course, there is a balance between a tight security process and the flexibility of your production process – and every studio will find a mix of practices which works best for their situation and team structure (e.g. a team built on remote workers will have to adapt differently to a team who all work from the same space).
Realistically, however, nothing is 100% effective against social-engineering attacks. But following some best practices for “process security” would reduce exposure:
- Ensure all connections are secure. Lock down all network protocol ports that are unnecessarily open. Know what is connecting to what. Eliminate weak links in the chain. Surprisingly, there are still systems that use unencrypted HTTP rather than HTTPS.
- Initiate two-factor authentication. Combining a password with a physical device or token provides is far more secure than using passwords alone.
- Perform regular penetration testing. Check to make sure there aren't holes in the security perimeter.
- Consider implementing digital rights management (DRM) earlier in the production cycle.
- Foster discussion and collaboration regarding security among disparate groups within your organization. Traditionally, production teams have assumed cybersecurity to be the province of the CIO, CTO and information-technology teams. In the new environment, everyone needs to be cognizant of the security strategy and policies.
By Emily Hopson, senior director, global professional services, Ooyala