A botched movie premiere. The leak of more than 170,000 emails and 30,000 internal documents. The resignation of a senior executive. Pirated recordings of at least three major motion pictures. The disclosure of 47,000 social security numbers, resulting in a multimillion dollar settlement. The Sony Pictures hack a year ago this month was Hollywood’s worst cybersecurity breach on record.
But did it change how the industry is approaching security? Are the studios doing enough to prevent the next hack attack? Or is it just a question of time before we will see another incident of this magnitude?
One fact is indisputable: The Sony hack has gotten everyone in the industry thinking about security. “It was a wakeup call,” says Bryan Ellenburg, who works as a security consultant for the Content Delivery & Security Assn., a trade association that performs security audits for major studios and their vendors. Ellenburg still remembers his phone ringing nonstop for weeks after the hack. “A lot of people were really freaking out at every level,” he says.
The fact that other industries had major breaches of their own contributed to the sense of panic. Hackers were able to obtain 56 million credit card numbers from Home Depot just two months prior to the Sony breach, and close to 80 million people had their data accessed when health insurance giant Anthem was the target of a hack earlier this year.
|Gary Neill for Variety|
Major incidents like these have led to a shift in attitudes toward security in the entertainment industry, argues Mark Lobel, principal at PwC. “It has gotten senior executives’ attention,” he says, adding: “We have seen the landscape changing.”
Wynn Rees, VP of content security at 20th Century Fox, agrees that after Sony, it has become a lot easier to explain the importance of security issues to upper management. “The Sony hack has helped us to remain vigilant,” he adds. (A Sony spokesperson declined to comment when contacted for this story.)
Rees allows that Fox has had its own set of scares. In one incident, employees became victims of a phishing attack — an email meant to look like a legitimate request from a colleague or an industry connection, only to lead to a rogue website that siphons off personal data, gathers information about a company network, or aims to trick users into downloading malicious code.
The email in question is now part of the studio’s regular security training for employees, which is meant to prevent future attacks. “You have to make people paranoid,” Rees says. “Phishing is very dangerous.”
Schooling employees about security should still be Hollywood’s No. 1 priority, Lobel says. In today’s world, that has to include not just email, but also social media. People post photos of their favorite food on Instagram, tell their Twitter followers of their current location, and let the world on Facebook know about their friends and family, he adds. That’s especially true for Hollywood, where everyone networks and draws attention to themselves.
|“You almost can’t trust anybody in this day and age. It’s a real problem.”|
But living a life in the public eye can also provide ammunition for “social engineering,” which is what security experts call the act of tricking people into revealing information that can subsequently be used to access secure networks. “We have seen nation-states do this again and again,” Lobel says.
At the same time, studios have to find a balance between their security and the needs of their employees, Ellenburg notes. Giving every employee a new mobile device that’s securely managed isn’t cheap. “You have to have a degree of trust,” he says. Adds Rees: “We are in the 21st century. People have their own devices, and they are going to work on these devices.”
Cloud services, too, exist in a space that Hollywood long has been wary of. Using the cloud could theoretically improve security by forcing standardization, Lobel says. But it also comes with strings attached: “The reality is that you’ve got a lot more things to monitor,” he adds.
Moreover, studios don’t like that they can’t test the security of cloud vendors in the same way they can their own servers, and they’re wary of a lack of transparency. But in the end, Hollywood is just like any other industry, and at least a partial move to the cloud is inevitable, if only for the fact that production is increasingly global. Says Rees: “It’s about finding a manageable compromise between security and business imperative.”
The global nature of the movie business comes with another set of challenges: Facilities and vendors are increasingly spread around the world. “You do a film in New Orleans, you have a visual effects company in Prague, you do audio in Vancouver,” Ellenburg explains. Not only does this mean that video files and other material are being sent around the globe all the time, it also adds many facilities and local networks to the mix — and these targets outside the studio lots are often the weakest links. “Vendors have been exploited,” Rees says. “You almost can’t trust anybody in this day and age. It’s a real problem.”
Ellenburg’s trade group routinely audits these kinds of facilities all over the world. During those audits, he’s seen some things that raise eyebrows, like editing workstations that were constantly connected to the open Internet, so that film editors could check emails during their break. But he has also seen vendors go the other direction, and make security part of their facilities from the ground up.
His biggest concern is that many production companies leave security up to junior employees with little training, when they should really have a dedicated security adviser on set. But that would come at a price. “The struggle is: who pays for it?” Ellenburg posits. Studios want production companies and other vendors to improve security, but don’t want to foot the bill for it, he notes.
Wendy Frank, who joined PwC last month as a partner specializing in cybersecurity and privacy, and previously served as the chief security officer of the MPAA, allows that businesses see security as an additional expense, but maintains its overriding importance. “It needs to happen regardless,” she says.
That’s because the other side isn’t waiting around to strike. In the past, hackers focused their most malicious attacks on the financial industry and government institutions. “Now, there are a lot of targeted attacks in this industry,” Frank says. Rees notes that Fox’s security team registers and thwarts a number of attempted intrusions daily.
Ellenburg contends it’s important to not just build up firewalls around a system, but also to invest in tracking what’s happening inside a company, to know who has accessed which files from where. “Every action should be logged to be reviewed,” he says. Because in the end, the question isn’t really whether another major hack will occur, but when.
That may be the main lesson from Sony: There’s no such thing as perfect security. “People make mistakes,” Ellenburg says. “It can happen to anyone.”