Many believe that the adoption of new technologies has left the industry vulnerable to cyber security incidents. This notion holds weight: prior to the digital era, businesses operated on internal legacy systems which were extremely difficult to breach without the proper equipment.
So, do we need to forgo technology altogether in order to ensure the safety of intellectual property?
Quite the opposite.
Digital technologies have fundamentally altered the way the M&E sector does business –– for the better. The ability to access, process, and deliver massive amounts of data at lightning speed has not only helped to amplify consumer experiences, but also reach more audiences than ever before. And on the business side, technology has helped organizations streamline time-consuming manual processes such as rights management and financials.
Adapting to Risk in a Digital World
The Equifax breach proved that hackers can outsmart even the best-laid security measures. This is not to say that every business is doomed to fall prey to an attack of that scale. Rather, it signals the need for businesses to be hyper-aware of the tools, systems, and protocols they have in place. This is especially key as M&E companies continue to adopt digital techniques to manage complex creative and distribution processes.
The Shift to Cloud Computing
The proliferation of portable devices and emerging distribution channels such as OTT, SVOD, and social media demand more flexible models to better engage an increasingly fragmented audience. As a result of these changes, cloud computing has become an integral part of managing and conducting everyday business.
Cloud-based technologies enable media companies to keep pace with the ever-evolving landscape by providing:
- Remote content storage in a connected environment
- Instant access to real-time information on acquisitions, sales, and availability details
- Substantial reduction in both capital expenditure and fixed costs
As M&E companies flock to cloud-based solutions to manage and store their digital content, they must be smart about their approach –– especially when it comes to selecting a third-party vendor. Vendors can easily claim that their “system” is secure and has passed various penetration tests. Unfortunately, that’s not enough. It’s about the organization’s care of that data, the husbandry of their clients’ data.
Secured Doesn’t Always Mean “Secure”
Utilizing a secured server such as Amazon Web Services doesn’t mean your data is automatically secured. In fact, there’s a huge distinction between the security of the cloud and the data you put into the cloud. This is what SOC 1 and SOC 2 govern: the processes of accessing client data through the software development life cycle. Vendors can take all necessary measures to secure their system or even place it on internal hosts; however, the casual handling of sensitive client data outside of the system itself obviates any security measures taken.
Here is a real world scenario:
A recognized vendor in the rights management arena uploaded confidential client information to the Amazon Simple Storage Service (Amazon S3), disabling standard security settings for easier access. As a result, confidential information from respected industry names such as EMI, Sony Pictures, Comcast, and NBCUniversal were left vulnerable. To make matters worse, an independent research firm was then able to uncover a trove of confidential information for one of the world’s largest toy manufacturers –– screenshots of royalty tracking, client financial information, an unencrypted spreadsheet of remote access logins for their server, and more than enough credentials for anyone to gain access to their system
7 questions to ask to ensure a potential vendor is SOC 1 and SOC 2 compliant:
- Do you encrypt data at rest?
- Do you encrypt data in transit?
- What's your backup policy?
- Do you leverage intrusion protection or intrusion detection systems (IPS/IDS)?
- What's your mean time to recovery?
- Do you leverage access logging?
- How often do you change your encryption keys?
Vet Before You Invest
When it comes to vetting the viability of vendors, due diligence is required. While negotiating a competitive price is important, it’s more beneficial to work with vendors who have the financial stability, expertise, and manpower to ensure that your data is in good hands.
Small companies may not have the resources for a SOC audit, which takes many months and significant investment to obtain. Not to mention, they may not have a full-time staff to actively manage the security environment or continuously deliver product improvements.
The fact of the matter is that disruptive technologies will continue to transform the industry. In order to protect intellectual property against piracy and hackers, we have to face the associated risks head on. And it all starts by ensuring that the data we store in the cloud is not only secured, but secure.