Cyber-security: it’s all about the people

Steve Sharman, director, Hackthorn Innovation, looks at what media organisations need to do to protect themselves against cyber-security threats.

Cyber-security is the hot topic on everyone’s minds right now – hardly surprising, given the recent high-profile hacks targeted against Sony Pictures and others – not to mention the persistent stories about government actors trying to adversely affect the outcomes of elections and referenda. In the wonderful broadcast industry of ours, we are naturally dealing with some highly sought after content on a daily basis and the risk factor suddenly gets much higher. So, what does it actually take to make sure you are secure? This was one of the topics at the recent Workflow Innovation Group (WIG) event in Cardiff and the discussions were pretty enlightening.

Technology – It’s a Team Effort

Technology will always play a key part here and there are loads of solutions all claiming to make your content more secure than in the proverbial Fort Knox. However, one thing that seemed to resonate from the discussions was that no one solution fits the bill all by itself. Yes, getting a secure solution for encryption in place is extremely important and that will mean important protection for your archive. However, you still need to put the right technology in place for when that content is travelling to or from your storage, especially if that “to or from” is outside the organisation.

Watermarking plays a big part here. If you are sending files to people outside of the organisation, watermarking on an individual basis means that at least if there is a leak, you know exactly where it came from.

Within your facility, physically controlling the external IP addresses allowed to connect to the firewall is an obvious way to reduce potential attacks. Having a second firewall in place (ideally a different make and model!) also makes a lot of sense, further protecting the “front door” of the organisation, and obscuring the details of internal networks and software that could be useful to an attacker.

Once behind the firewalls, a lot of the broadcasters present at the WIG event use closed (non-corporate connected) networks with workstations requiring individual user logins and using physically disabled USB ports. Considering what physical measures should be put into place to protect sensitive areas such as editing suites is of equal importance. Is there a window? If there is, can someone look in and see something not yet in the public domain? Does the door remain locked when staff are working within? The security consequences of it not being locked are of course pretty obvious, but especially in the current climate, there are health and safety and employee safeguarding issues that also need to be taken into account. As always, nothing is as simple as it seems!

Another major technology that looks set to make workflows more secure is encryption at rest. Of course, keeping content encrypted at every stage whilst making it simple and efficient to access and review, is pretty challenging, especially when operating at scale. At the event, we discussed new technology that keeps that content encrypted whilst making it possible for current applications to access it in its encrypted state – that could be a game changer.

However, whilst all of these technologies and tools are innovative and obviously make a big impact on keeping content secure, broadcasters need all of this, and more, to ensure the best security possible and minimise the risk of attack. As a media company you have to block every attack successfully – the cracker community only needs to be successful once.

Ultimately, it’s about the People

Whilst that is all true, it is also true that you can have all the technology in the world, but if you don’t have appropriate organisation culture, with the right people with the correct training, all of that falls apart. Literally every discussion in the room came back to people and trust. Partly, that is about instilling the right company culture where people can, for example, recognise potential phishing emails and know to question and report, rather than clicking the link. It is also about ensuring the people know the consequences for the company and their own careers should they decide to take that un-released episode of Game of Thrones home and watch it a couple of days early with their mates. The broadcasters in the room were pretty unified in their view that common sense and loyalty were both important attributes of the people in their teams.

At the same time of course, there should only be a limited number of people who have access to the really sensitive and high-profile content, in this case personal attitude, maturity of approach and company procedures all need to be appropriate for the situation.

Are you feeling secure?

The overriding themes that came out from the WIG event and discussions with broadcasters present were that being secure is not about just one thing. It is about technology, applied properly at every stage of workflows, and it is about people, and it is about having the right processes in place. Without all of those things being in place in a co-ordinated way, there will always be weak links open to exploitation. At the same time, even with all those in place, there is no room for complacency – you should continually be testing your business and looking for your own weaknesses.