Ensuring cyber safety in media and entertainment


Most industries face substantial cybersecurity challenges today, but those affecting media and entertainment are distinct and complex. Media production can be distributed across a multitude of independent global players. Each contact point increases vulnerability to attack. The product itself is often highly valued, highly visible, and, in some cases, ideologically charged. All of these qualities increase their risk profile for theft or disruption.


The challenge of safeguarding content from theft and other disruptions is as old as the industry. Grant Thornton Risk Managing Director Caesar Sedek said, “Before content is delivered, it moves through so many different aspects of the ecosystem from production companies, onsite principal photography, post-production, VFX, localization, editing, and color correction. Content is touched by hundreds of people and hundreds of companies.” 




Complex motivations raise risk profiles


Cyberattacks are typically motivated by greed. For example, the United States saw 217 million ransomware attacks in 2022, and illicit profit was certainly a factor in many of them. However, because of the industry’s high profile, cyber-attacks and other malignant actions are often motivated by a combination of malice, mischief, bravado and ideology. Sedek said, “Sony Gaming was hacked just because people were not happy with Sony as a corporation. Some of those hacks were a matter of establishing street cred. Some targets are hacked just because they’re there.”


That isn’t to say such attacks don’t have financial consequences. Grant Thornton Media and Entertainment National Leader Deborah Newman said that, “although the actors that perpetrated the Sony leaks might not have any financial gain, it destroyed certain reputations.”


At times, media company attacks are motivated more explicitly by politics. Last December, the Malek Team, with reported links to Iran, hacked the Israel-based Dori Media Group, compromising over 100 terabytes of information. After the Russian invasion of Ukraine, hackers took over Russian television stations and broadcast pro-Ukrainian messages. While programming takeovers are a particularly bold move, hackers may also score political points through disrupting, spoofing or embarrassing their cultural or political enemies. They can also spread misinformation through spoofing or increasingly sophisticated deep fakes.


Yet other attacks occurred for a very simple reason unique to media and entertainment: bootlegging. People are motivated by wanting to watch movies, play games, or otherwise experience content not yet available to others. So, movies not yet released in certain markets have been bootlegged. Properties which had been retired by streaming companies have been appropriated and sold on sites on pirate sites and the dark web.


Despite these complications, many attacks against media and entertainment companies resemble attacks against other large enterprises in both their motivations and their approaches. A January 2023 attack against the social media platform X confirms this trend. The X hacker demanded $200,000 after exploiting a flaw in the API to extract user information.




No panaceas, only best practices


The question, of course, is what to do?


Regrettably, no single solution exists. Bad actors who pirated a flawed, unfinished version of “The Hulk,” undermined the movie’s release. Grant Thornton Media and Entertainment National Leader Deborah Newman emphasized that “the theft of ‘The Hulk’ movie destroyed millions of dollars of value because the unfinished product wasn’t up to the studio’s standards.”


For content protection, the Trusted Partners Network (TPN), from the Motion Picture Association (MPA) provides third-party assessments, education, and ad campaigns discouraging piracy and content theft.  There also are controls specific to the cloud which production and post-production companies can implement. Because they stream content, companies such as Netflix, Amazon Prime, and Apple have a very specific need to safely distribute their products.


Studio content teams could play an even larger role in protecting assets. They already craft legal agreements which all vendors must sign. When high value content—say, the next blockbuster movie—is being created, they work with the visual effects companies, the digital distributors, and the localization companies in such a way that—unless they can demonstrate very robust cybersecurity measures—they only receive certain pieces of content. This further inhibits piracy.


But there’s an often-overlooked way for media companies to elevate their cybersecurity. They can facilitate collaboration between their content protection teams and their cybersecurity teams. The differences between the two—content teams are populated by lawyers; cybersecurity, by tech specialists—mean they have complementary approaches and knowledge.  The technical people can incorporate legal concepts into their thinking. The legal team can explore how they can leverage technology.  


The application of widely accepted requirements such as SOC2 (Systems and Organizations Controls) can further help manage third party risk.  These are often aligned with security frameworks such as NIST (National Institute of Standards and Technology) CSF (Cybersecurity Framework). While there is no formal certification, attestation from third-party auditors provides further reassurance that security best practices are being followed.


Studios have satisfied the pent-up demand for unavailable properties by simply making them available, often via streaming.  Sedek said, “in the last decade, we have changed the release windows globally. We're premiering a movie in every country at the same time. Previously, we would start in the U.S. and then, five months later, the movie would premiere in Europe. That five months period was a prime time for everybody to steal that movie here.” 




Protecting the enterprise


For ransom attacks, data theft, malware and other common attacks, media and entertainment companies share the problems of other large enterprises. Here, fundamental cybersecurity is important. Sedek said: “It is incumbent on companies to understand the threats in their company and across their ecosystem, discern where the data resides, identify the crown jewels within that data, understand their risk profile, and develop a cybersecurity program which includes logging, monitoring, response plans, and a response team. You can’t eliminate risk. But you can take steps to lower it to an acceptable level.”   


This typically begins with an assessment by internal teams or outside experts. At a minimum, such an assessment should inventory your data, determine what your environment can handle, identify who’s responsible for creating and storing data, and who has access to it. Besides mapping your vulnerabilities, such an assessment should generate a path forward for lowering your risk. Because these issues affect all large enterprises, media and entertainment companies can profitably study other high value targets such as governments and energy companies.


Given the amount of damage done by social engineering and employee negligence or gullibility, regular education can also make a significance difference in your exposure. Bad actors have always known that the greatest vulnerabilities are not in systems but with people. 




More media & entertainment insights