M+E Connections

The COVID-19 pandemic led to film production and new film releases slowing to a crawl, as well as theaters being crippled and a wide range of ramped-up security threats to media and entertainment companies, including piracy, according to John-Thomas Gaietto, executive director of Cybersecurity Services at Richey May Technology Solutions.

Even before the pandemic, cybersecurity threats represented a major threat to the M&E industry, he said during the Dec. 8 virtual Content Protection Summit.

M&E was the third-most heavily targeted industry by pirates, accounting for 17.63% of cyberattacks, behind financial services (29%) and government (24%), according to the 2020 Verizon Data Breach Investigations Report and 2019 FBI Internet Crime Complaint Center (IC3) report, he pointed out during the “Anti-Piracy, Pirates & Aaaargh!” breakout session “Pirates of the Coronavirus: The Curse of Work from Home.”

“A lot of this was driven by the bad guys being able to figure out how to instill a sense of urgency in an organization, and a lot of the attacks that we saw were though phishing and ransomware, and shutting down production to essentially shake the tree to get some money out of a company,” he said.

However, “with the pandemic, I think there isn’t a single person today that could argue with” the statement that “COVID has fundamentally changed the way companies operate,” he told viewers.

It’s easy to understand why. “Our operations have become geographically dispersed” and “we’ve got folks now working from home,” he noted. Hawaii recently announced that “if you can work remote, we’ll find you housing for the next eight months,” he pointed out, adding that, as a result, “technology teams that support our productions and our overall organizations have had to adjust to this new normal.”

On top of all that, “our employees aren’t used to being in a remote environment most of the time [and] we’re also forcing people to change their mindset,” he said.

Amid all this, “what’s been interesting is that organizations have had to anticipate this cultural shift in how people work, including how you handle creative content,” he noted, explaining: “Our frontline manager… have to adjust our management style. We have to change the technical tools that we’re using to manage our employees as well as handle content and data. We may be removing security controls in our environment so that we can get the content to the creatives to do their jobs.”

What we are “forcing our IT teams to do [is] to create systems that support this new environment — and it’s not like we have a long time for folks to figure this out and make sure that we’ve checked all the boxes,” he said, explaining: “People are doing it extremely fast… and, unfortunately, because of the speed – and it’s the pace of play, right, it’s the speed of the business – security is often an afterthought. And that’s what’s going to get you in trouble, and that’s what’s gotten individuals in trouble.”

One popular way in which creatives and others in the M&E industry have collaborated during the pandemic has been via tools including the suddenly popular Zoom, he said, noting the FBI released a notice about that platform to warn of potential threats.

“But it’s not just that single platform,” he said, explaining: “Many of the online collaboration platforms have had a myriad of different challenges. We’re starting to see this uptick in the bad guys calling the help desk to get temporary credentials to bypass multi-factor authentication. We’re seeing an extreme influx of phishing emails around the pandemic, right? Early on, it was around information trackers.”

Noting that new information was recently released around new lockdowns in California, he said: “That makes it very easy for false information to permeate into an organization. And so it’s forcing us to have formal communication strategies for our staff.”

And then the “last piece of this too is that we’ve seen a lot of malware designed to leverage this fear – the uncertainty and doubt of the times,” he said, adding: “Really, it’s not just the pandemic itself. It’s the shift to remote work. It’s these two things alone that are driving some of the challenges that we see inside production shops.”

What is also driving some of these piracy trends is the fact that so many consumers have been stuck at home, he noted. To help combat these threats, the Motion Picture Association (MPA) released a list of best practices in November.

When it comes to controls and protections, “one of the key things… is monitoring your remote workforce, especially if it’s a remote creative, ensuring that they’ve got adequate physical security in their remote location” – whether it’s their home office or somewhere else, he said.

Also, “we have to, as practitioners, understand what’s being asked of us and what we have to ask of our employees,” he told viewers. For one thing, installing surveillance cameras in employees’ homes “teeters on some privacy boundaries and some considerations,” he warned.

However, he said: “One thing though that you should be doing is thinking about: ‘How do I control the employee’s access at a remote location?’ ‘How do I control how that content is moving?’”

There are a lot of companies “leveraging virtual private networks” (VPNs) for that, he said, but added: “People at home are more likely to do risky things than when they’re in the office. And you have to figure out how you’re going to control that even if you’re not leveraging a VPN. This can be done through” plug-ins.

We are also “seeing a massive uptick in remote desktop technologies for creatives” allowing production companies to “essentially remote control a production studio through” virtual desktop infrastructures (VDIs), he said.

Meanwhile, “one of the other challenges – and I don’t think anybody would have thought of this prior to the pandemic – is I’ve sent you home with a corporate asset and I’ve got my applicable security controls installed but I’ve got multiple kids in my house,” he said, explaining: “We’re all dealing with them learning remotely as well, and so sometimes we’re seeing incidents occur because we’re having company devices that have production content on them shared with kids from school so that they can get their schoolwork done. So they’re plugging in phones, they’re plugging in other portable devices…. And many organizations aren’t equipped to deal with that” and they can’t monitor what is happening.

In addition, we may take all the important steps to mitigate threats, but then don’t change the default credentials, he pointed out. Many companies moved so fast to protect their employees when the pandemic started that they did not double check a lot of issues that should be checked on the security front, he said.

When it comes to handling common vulnerabilities, “one of the favorite things I like telling folks when we’re talking about security or what I should share with other people is that if you can’t talk too your grandmother about it, it’s not worth talking about,” he said.

And he has been saying use multi-factor authentication a lot to avoid some common vulnerabilities.

“I’ve been saying it so much during the pandemic that I kind of feel like that lady from the Frank’s Red Hot commercial… MFA: You should be putting that on everything.”

Especially now, when so many people are not working from a company’s office, we must be “validating who they are and making sure they are who they say they are and not just relying on someone calling up and asking to have their password reset” or get a link again to download content, he stressed, adding: “We need to be able to control these devices remotely as well.”

A lot of M&E organizations are “struggling because, with the decentralization of assets, they don’t have a cloud-based VPN-based solution to push out patches and continue to have a standardized platform,” he also said.

“As it relates to production organizations, the biggest concern that we’re seeing there is that a lot of folks send a lot of assets out but they didn’t keep a very good inventory of what people took home,” he pointed out, adding: “Eventually, when we move out of the pandemic mode, this is something that a lot of organizations – especially mid-market organizations – are going to have to struggle with.”

And, last but certainly not least, “we’ve seen an uptick in piracy in 2020,” he pointed out. Piracy had been on the decline before this year for reasons that included the fact that “we started having legitimate outlets for individuals to consume content,” he noted.

Most of the piracy we are seeing now arguably comes from streaming service theft. But one major issue around piracy is that consumers do not consider sharing passwords to streaming services theft, he said. In addition, nearly 40% of consumers share their passwords and many of them do not realize that presents a security risk, he noted.

“As we move more into the new reality of streaming content being the primary source of revenue for us as organizations, we’re really going to have to consider more complex authentication methods,” he warned.

Presented by Microsoft Azure, the Content Protection Summit was sponsored by SHIFT, Genpact, Akamai, Convergent Risks, Friend MTS, GeoGuard, PacketFabric, Palo Alto Networks, Richey May Technology Solutions, Splunk, Zixi, EIDR, Cyberhaven and Xcapism Learning.

The event was produced by MESA, CDSA, the Hollywood IT Society (HITS) and Women in Technology Hollywood (WiTH), under the direction of the CDSA Board of Directors and content advisors representing Amazon Studios, Adobe, Paramount, BBC Studios, NBCUniversal, Lionsgate, WarnerMedia, Amblin Entertainment, Legendary Pictures, and Lego Group.