Bridgend, UK—Apparently there are now three things of which we can be certain: death, taxes and data breaches. Not only does it seem inevitable that we will all become victims of cybercrime at some point in our lives, but the fact that Equifax—a credit bureau whose lifeblood is secure data—can be hacked also fosters the impression that none of us is safe.
While the hacking headline-grabbers have recently included big names like retailers Saks, Under Armour and Orbitz, the media and entertainment business is hardly immune. UK-based Fortium Technologies, founded in 1999, was well placed to respond to the rapid—and apparently rapidly increasing—growth of cybercrime in the media and entertainment industry, having become involved in content security about 12 years ago, according to co-founder and CEO Mathew Gilliat-Smith. At that time, Fortium was helping the Academy secure its annual awards screeners.
As the industry began to adopt a file-based workflow, he says, “One issue was working in sound or picture editing where you have a reference file. You are working on the Avids and the content effectively is in the clear; it’s unprotected, therefore it’s vulnerable.”
Breaches fall into three categories, he reports. “There was an interesting survey done by PricewaterhouseCoopers at the end of 2016. It showed that 30% of the worst breaches are caused by human error. That’s something that is always going to happen”—for instance, someone in a hurry mistakenly forwarding to the wrong person an email containing a link to content or data.
The second area is cybercrime, which falls into two areas. “One is the issue of cybertheft, where someone tunnels into a network—like in the case of Larson Studios—and they steal the content,” he says. The perpetrator then holds the company to ransom, threatening to release the material unless they pay a ransom. In Larson’s case, in 2017, even when payment was forthcoming, the hackers released 10 episodes from the next series of Orange is the New Black.
“The other is where crypto-ransomware works its way in through some malware, locks everything and the company is held to ransom.” The ransomware locks the user out of his or her own files: “There’s nothing you can do until you pay the ransom.”
Thirdly, he says, “There is pure theft. Someone on the outside is paying someone on the inside to steal content. In some of the big, high-profile leaks we heard about last year, had that content been encrypted at-rest then the criminal would not have had access, because he wouldn’t have had the authentication rights. What we’re providing is access control by individual user and individual file.”
Fortium’s MediaSeal security product provides at-rest, in-use and on-the-fly encryption protection throughout the production workflow. MediaSeal is available via a per-user, per-month subscription, or a usage-based pay-as-you-go plan.
“Having encryption on your files while you’re working on them is difficult to do,” says Gilliat-Smith. Indeed, the perceived level of complexity in developing such security software has dissuaded most vendors from offering similar solutions, he says. With Fortium’s approach, encryption is in the workflow, working in the background, without impacting the way people interact with their files.
User access follows a multi-tiered approach. Three-level authentication requires an iLok or soft key, a password and authentication against the server. Access permissions can be specified for specific individuals and time periods. “You might have the rights today to work on the file,” he says, “but tomorrow, if the time window has passed, those rights may have been revoked”
In one major growth area of the film and TV production business, localization, there can be dozens of vendors working on foreign-language dubs. “A file can be sent with access control for a particular vendor. They might have 20 people but only three have been given studio permissions to work on that file,” he says. “That’s an effective way of locking it down to make sure there are no ‘accidents.’”
The two-level authentication model requires just a key and password. Single-level security is password-only: “That means you can protect a file and send it anywhere. The protection stays with that file and you don’t need any other hardware or software tokens to access it,” he says.
MediaSeal is part of a recommended blended solution, he says, combining digital and physical security. Workstations might be air-gapped, but users still need to protect with encryption at-rest, even in a facility with cameras, alarms, controlled area access and other measures.
There are a couple of barriers to wider adoption of all security measures by large and small companies and third-party vendors. “Awareness and education are not always there,” says Gilliat-Smith, who frequently travels to the U.S. to help spread the message.
And of course, there’s always the issue of cost: “The smarter TV and film production companies include security as a budgeted line item. Once it’s in there, people have to follow it.”
That’s a sensible way to avoid cybersecurity breaches, he believes. “No one wants to change the way they do things. But, on the other hand, no one wants a financial disaster caused by a breach on their watch, either.”
Fortium Technologies • www.fortiumtech.com