Media & Entertainment Security Summit highlights need for investment in cyber strategies

Few companies are doing enough to protect themselves from piracy. That was the standout theme of Broadcast TECH’s Media & Entertainment Security Summit, held at the Dolby Screening Rooms on 30 October.

The threat to the industry from hackers was laid bare at the summit, with speakers citing a raft of high-profile and damaging attacks on the media, including: the 2014 Sony email hack, when confidential data from the studio was released; last year’s theft and leak of season five of Netflix’s Orange Is The New Black; and the powerful cyber attack that took French TV network TV5Monde off air in 2015.

Nick Matthew, head of operations at IP protection body Fact, said: “If the US elections are getting fixed, which we’re led to believe they might be, why can’t the same problem happen to any company or individual? The truth is it can.”

“Piracy has changed now. It is much more commerical, to the extent that it is an existential threat to the pay-TV ecosystem”
Simon Hanna, Friend MTS

Matthew said only 33% of UK businesses have a formal cybersecurity policy – despite 46% of all businesses having identified at least one breach or attack in the past year. The media industry is, he added, a big target because content is so valuable.

Advances in digital technology have made it much easier for pirates to steal content, make it available to users and, crucially, to monetise it, said Simon Hanna, director of partnerships at video content protection provider Friend MTS.

“Piracy has changed. It is much more commercial, to the extent that it is an existential threat to the pay-TV ecosystem.”


Nick Matthew

Liberty Global head of content protection Rob Pinniger said fighting piracy is an ongoing process, and the company is continually reviewing its security arrangements.

“It’s always an arms race between us and the bad actors, and unfortunately it is normally us who are one step behind because we are constrained to act within the law.

Currently, one of the biggest areas of concern is around live event streaming. “We have all been guilty for focusing on movies,” said Hanna. “But what is really moving the needle is pirating live sport. It is a massive problem.”

Hanna estimated there are up to 5,000 illegal commercial streaming services offering live sport, predominantly football, meaning that “millions of people” are viewing illegally.

It is also happening on a more domestic scale, with “hundreds of thousands of people” using their phones to live stream pay-TV sports events on social media sites.

“Every part of the production cycle has to be bulletproof. It only takes an attacker one opportunity to find a vulnerability and exploit it”
Richard Hamson, Akamai

The media and entertainment industry is particularly open to piracy because there are so many vulnerabilities through the production cycle, according to Akamai senior director Richard Hamson.

He noted how content can be stolen from head offices, third-party companies, contractors, vans, internal networks and during distribution.

“Every single one of those has to be bulletproof – 24 hours a day, seven days a week. It only takes an attacker one opportunity to find a vulnerability and exploit it.”

The threats come from both outside and inside companies. Sohonet chief technology officer Ben Roeder cited Verizon’s Data Breach Investigations Report, which found that 75% of threats are external and 25% are internal.

As part of its monitoring of piracy, Hanna reported that Friend MTS will frequently find illegal football streams being pirated by company workers.

“When the programme goes to the ad break, we’ll see two guys sitting in a studio truck having a cup of coffee… The problem in this case is not a systems or technology issue, it is humans. You can’t be in a place where you place too much trust in individuals.”


Speakers stressed that companies need to invest more in security – but many admitted that this can be difficult to do when so many firms are focused on keeping costs low.

To win investment, Liberty Global’s Pinniger said: “You need to start practising your financial presentations to the board. The question you will invariably face is, ‘If I give you this money, what will be my ROI?’ You have to try to flip the conversation around and say, ‘If you give me a couple of million pounds, I am not going to deliver 200,000 new customers, but I might stop 200,000 leaving – and there is a value associated to that.’”

Once backing is secured, companies must put in place a rigorous plan to prevent attacks. “Choose someone to be responsible, have a plan, implement the plan, and continue to get better,” said Roeder.


Rob Pinniger

Fact’s Matthew listed five ways for businesses to stay cyber secure: never open attachments in emails from strangers; make passwords unpredictable and change them regularly; make sure software is up to date on every device; use security software; and for data security, use encryption at rest where possible. Facility bosses also spelled out their own security strategies.

Clear Cut Pictures chief technology officer Jess Nottage and Zoo Digital director of business development Julian Day said their facilities both operate on the principle of ‘least privilege’ – only allowing users to use software for specific jobs and minimising access to content.

Post house Envy has introduced badges and ID cards to help protect security at its premises, according to head of operations Jai Cave. He said this can be difficult to implement in companies that want to appear creative, but is a necessary measure.

“For a facility, the biggest challenges are around people. We rent out 150 rooms to clients. We know who the clients are, but they hire editors and post producers for their suites… so how do receptionists know that anyone walking past them is actually supposed to be there?”

Tech Fest logo 2018

Education is key too – both for staff and clients. Cave said that security is an issue that it is on the agenda with clients from preproduction meetings onwards. “Five years ago, we would probably never have discussed it. Now it comes up from our side and the client side.”

Internally, education is vital, said Nottage. “In the post community, there is a misconception that you won’t be hacked if you are making a programme about puppies. But once they are in, they can hold you to ransom for other high-profile content [in the facility].”

Pinewood Group director of creative services technology Darren Woolfson gave an example of an effective anti-piracy campaign run by the studio.

It will regularly send spoof emails to staff or leave USB sticks around the facility – and then monitor if staff members click on links within them. If they do, the staff have to go on a security training programme.

The first time Pinewood ran the campaign, 89% of its workforce clicked on the link. Now, virtually no one is caught out, said Woolfson.

“It’s thrown up a slightly different problem though. When we ask staff to fill out questionnaires and enter their details, our IT department is inundated with replies saying, ‘You’ve sent out another of your spoof emails – and I won’t be caught out this time.’”