Sony Hack Aftermath: How Hollywood Is Getting Tough on Cybersecurity

Sony Hacking Crisis
Nathan St. John for Variety

The cyber-attack that crippled Sony Pictures Entertainment may have occurred way back in December, but the reverberations are still being felt across the entertainment industry.

A new normal is setting in, according to panelists assembled Thursday in Los Angeles at the Hollywood IT Summit from companies including Disney-owned Marvel Studios and Live Nation Entertainment.

The Sony incident has prompted some soul-searching at many businesses big and small in and out of Hollywood, which are all exploring their own preparedness to deal with similar scenarios.

“Since the Sony hack, a lot of people are waking up and saying, ‘We’re vulnerable, what do we do?'” said Sean Cordero, chair of the controls matrix working group at the Cloud Security Alliance. “The studios, mini-majors and independents are ramping up efforts to see what the risk is and whether they can shore it up.”

“Conversations are happening at a much higher, broader level,” said Jonathan Chow, chief security officer at Live Nation Entertainment. “A certain group of people in our business assumed the IT guys will take care of that, and they didn’t bother to ask the questions. Now they’re asking the questions — it’s a concern for everybody now.”

However, the increased awareness of the risks can be something of a “double-edged sword,” according to Chow, who finds that all the new-found media attention on the subject is prompting more double-checking of his security measures from colleagues inside the company.

“But I like having the discussion,” Chow said. “They understand the need and imperative for a well-funded security group.”

Sean Flynn, chief technology officer at Marvel Studios, said the Sony incident spurred immediate response from within his company. “We were summoned immediately into the boardroom to identify our vulnerabilities and risk,” he recalled. “We had to conduct a security review, which we found to be really beneficial.”

That review encompassed everything from preparing countermeasures through threat-modeling and attack-mapping to imposing stricter controls for data encryption, multifactor authentication, privileged account management and identity management in the cloud.

Bryan Ellenburg, security consultant for production and post-production editorial at Content Delivery & Security Association, described a tightening of controls across the supply chain industrywide.

“I’m starting to see a retrenchment,” he said. “I want to see more logging, watermarking and session-based visibility of any documents, budgets and schedules.”

Key to driving increased discipline, according to more than one panelist, is for new protocols to be observed at the highest levels of a company. “Because senior leadership follows the same set of rules, it’s easy to get everyone on board,” said Flynn, who also credited improvements in training practices with spreading the gospel of better security more effectively.

Another aid to cybersecurity, according to Ellenburg, is for content companies to share information on best practices. “I highly encourage collaboration and putting together working groups that can share anonymously, and a centralized app that can send out alerts across our industry,” Ellenburg said.

As much progress has been made in Hollywood since the Sony attack, there is much room for improvement. Panelists described intentionally tricking their own employees into opening the questionable email attachments that are often a hackers’ way into a computer network. The goal is to teach the perils of spear-phishing.

“It’s staggering, the number of people who will click on a link to get the free Amazon gift card,” said Stan Stahl, president of the Los Angeles chapter of the Information Systems Security Association, and moderator of the panel. “It’s kind of scary.”

The Hollywood IT Summit was held at the Hyatt Regency Century Plaza by the Media & Entertainment Services Alliance.