According to the FBI, businesses in the United States lost $10.3 billion last year through data breaches. On a global scale, those losses were as much as $600 billion, and while all businesses face virtual attacks, the dynamic, collaborative production practices of the media and entertainment industry make it especially vulnerable to cybercrime. This spring, the nonprofit Content Delivery and Security Association (CDSA) took a key step in combatting those risks with the creation of innovative industry-wide professional standards for film and TV production security.
Created by the CDSA’s Production Security Working Group, the new guidelines are a response to a growing breed of data leaks in the entertainment industry. Media companies have been swiftly adopting new digital technologies as they scramble to adapt to changing consumer viewing patterns, which are increasingly online and on-demand. Yet, as important and useful as these technologies have been, they also create new vulnerabilities.
Film and TV lag behind
Security practices in film and TV are frequently failing to keep pace with these changes. Perhaps the most well-known breach involved Sony Pictures during the production of The Interview, when executives scrambled to manage the circulation of pre-release movie content alongside key financial data and sensitive personal information, giving the world a taste of the high stakes involved in serious media-security leaks. CreativeFuture, a nonprofit that focuses on protecting artists and creative workers from for-profit piracy, estimates that 700 million people seek pirated content from 13.9 billion web pages every month, generating an annual cost of $52 billion to the film industry.
And in the age of “fake news,” insecure data can also be repurposed to reappear in troubling locations, from misleading political content to unauthorized marketing or digitally manipulated pornography. Lori Loeb, director of the digital arts program at Dartmouth College, points out that data security risks are not only financial but go to the heart of media ethics. “For independent media makers, the threat of copying or using content for ‘deepfakes’ is increasing,” she reports. “I find it scary to imagine that content I produce could be used to create a fake news story or ripped off for someone else to use without permission from the actors or producers.”
Not to point fingers but . . .
While the Sony data breach was the product of malicious activity, many others are the result of accidental exposure through an unsecured device or file. These small-scale, low-tech data breaches are often an equal menace to media security. Office printers, for example, were a source of data leaks for 68 percent of businesses surveyed for a recent report by Quiroca.
A rising portion of digital threats come from within organizations too, according to Symantec’s 2022 Internet Security Threat Report, increasing the need for cybersecurity at multiple levels. Regardless of their size or source, all kinds of leaks can send data into the wrong hands. For smaller businesses or independent contractors, a single breach can compromise years of work or take a significant financial toll.
While the entertainment industry has a history of standardized practices in areas like safety, a lack of security norms has meant that workers have needed to adapt to a constantly changing assortment of methods and rules on each production, creating miscommunication and leaching production time. A lack of standard security training has also meant that important issues often go unaddressed; unattended phones or tablets, insecure servers, or unprotected cloud platforms can be an inadvertent source of disastrous leaks.
CDSA to the rescue
To address these issues, production, technology, legal, and security experts from AMC, Bad Robot, BBC, Marvel, NBCUniversal, Walt Disney, and others worked for more than a year in collaboration with online content providers such as Amazon, Netflix, and Hulu and members of the Producers Guild of America to create the CDSA’s industry-wide security standards. Their recommendations offer a blueprint to protect against cyberbreaches from a production’s start to its finish.
Alongside the complete draft of detailed recommendations, the CDSA has released a one-page production checklist, a general summary of guidelines to help with project planning and budgeting, and a sheet of individual responsibilities to be shared with all cast and crew members. They’ve also compiled a list of helpful websites with resources about regulations, international standards, and other data protection strategies.
As useful as these recommendations are, the Working Group cautions that they’re a first draft that’ll need to be constantly updated in response to developing threats. Media professionals need to stay alert to security issues that emerge with innovative technologies and practices. Creating new norms and awareness across the industry will be a crucial step in that process.
7 handy tips for securing your production
The CDSA understands and honors that every production is unique. Their guidelines are designed to be adaptable across the industry, from indie films to big budget studio productions and promos for small businesses. While some of these recommendations are geared for high-budget operations — for example, not every project has a dedicated security staff or a full-time IT team — practices like limiting file privileges and setting up remote data wiping are useful for big and small projects alike.
While the guidelines make many specific recommendations for best practices, they also lay out the reasoning behind each recommendation and often suggest reasonable, often lower-cost or lower-intervention alternatives that may make more sense for a particular production. For example, productions that don’t want to invest in web-filtering software can make clear policies about the use of unauthorized file-sharing sites or other sites known for malicious activities.
Taking a few key preventive measures in low-drama moments can help projects avoid high-drama outcomes.
The CDSA’s most important recommendation is to establish a security team composed of representatives from all parts of the production to familiarize themselves with the guidelines and adapt recommendations to their specific circumstances. Security teams should decide what strategies make the most sense in light of their resources and priorities, put a plan in place, and communicate strategies to the rest of the crew. Regardless of size, all productions should clearly assign security responsibilities to specific team members to prevent problems from falling between the cracks.
Advance planning, collaboration, and communication are essential to the security of any production. Taking a few key preventive measures in low-drama moments can help projects avoid high-drama outcomes.
1. Define what matters.
Take time at the beginning of production to identify all of the assets that need protection, such as key documents, like scripts and call sheets, and media and design files. Other examples of confidential or protected data include financial records and contracts, personal information, and all electronic communications about the production, including text messages and collaboration tools like Slack or Webex. Once they’ve been identified, they should be tagged ASAP so appropriate action can be taken to protect them. Minimizing the numbers of copies decreases opportunities for theft.
2. Secure the physical environment.
Cybercrimes are digital, yes, but many have a tangible component to them, one that usually involves unauthorized access to hardware. Network routers, switches, and ports should all be identified and secured. All devices associated with pre- and post-production should be password-protected and physically secured when not in use. If the hardware is in an office, then the office should also be locked when not in use. Private devices like phones and tablets should be collected and secured on set to prevent unauthorized recordings of sensitive material. During principal photography, put one or two people in charge of a locked location where devices can be stored and returned at appropriate times.
3. Secure the virtual environment.
Make sure all networks and devices involved in the production have up-to-date firewalls, anti-virus software, and anti-malware. Choose secure servers for email and text communication about your production. If a production site relies on a shared network, use a restricted network for confidential information and offer a separate Internet-only guest network for other users. Use passwords and multifactor authentication whenever possible. If possible, maintain a data-system access and transfer log to track the activity of confidential information.
4. Limit access.
Access to data should always be on a need-to-know basis. Establish which individuals or groups require particular materials to complete their work and use password protection to restrict the circulation of sensitive files or folders to only those members of the crew. Limit privileges to view, edit, or share within file-sharing systems and cloud applications. Only share confidential data via approved channels, never over private email or social media. Just think what ignoring that protocol did for Hillary Clinton.
5. Look out for irregularities.
Be alert to unusual activity. If the production doesn’t have a dedicated tech team, designate a point person for tracking data activity. Be sure to check that email or social media links and attachments come from a reliable source before you click.
6. Be ready for worst case scenarios.
Prepare for the possibility that, despite all your best efforts, something might go wrong. Establish a remote lock and/or remote data wipe function for devices; “find my phone” services often offer these functions in the event that a phone ends up in the wrong hands. Always back data up to a secured cloud service or external drive. Have a response strategy in place in case sensitive material is released. Plan the who, when, why, and how for reporting and addressing incidents and concerns.
7. Respond, review, and revise.
If an incident does occur, put your response plan into action and then review and revise your systems to address weaknesses that have come to light.