The adage “content is king” holds particularly true for the entertainment industry. Millions of people across the globe pursue film, video streaming and musical content, making these digital assets incredibly valuable — and this immense value has not gone unnoticed by cybercriminals. A stark example of the industry’s vulnerability emerged as early as 2017 when a hacker group successfully exfiltrated files containing the first ten episodes of a highly anticipated Netflix show and demanded a ransom, threatening to release the material on the internet if their demands weren’t met. This is just one of numerous examples that demonstrate how a single cybersecurity breach can lead to a TV series, movie or game leak resulting in steep losses.
This article identifies the weak spots that allow malicious actors to conduct successful attacks on entertainment organizations, offers recommendations for remediating them to improve cyber resilience, and advises organizations from other industries on the security lessons they can learn from media entities.
Less Regulation, More Vulnerabilities
Cybercriminals are attracted to valuable data they can leverage for financial gain. While sectors such as healthcare and finance are frequently targeted due to their sensitive data, these organizations are highly regulated. Strict compliance regulations like the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act (SOX) force them to implement strong security controls or face severe penalties.
In contrast, the lack of regulation in the entertainment industry means that cybersecurity is often viewed as a cost center and therefore protection measures may be weaker or missing altogether. Yet the data can still be quite valuable, as the examples above demonstrate. This combination of valuable data and comparatively poor security posture makes the entertainment sector an attractive target for cybercriminals.
Game of Third Parties
Another significant factor contributing to the entertainment industry’s vulnerability to cyberattacks is the massive scale and complexity of its operations. In particular, entertainment organizations are often dependent on vast supply chains involving third-party production companies, personnel agencies, public relations firms and more. Such an interconnected ecosystem expands an organization’s attack surface — meaning that entertainment organizations are susceptible not only to their own vulnerabilities but also to those of their partners and suppliers. A security breach in any part of this expansive network can potentially compromise the entire system.
In addition, conducting consistent and effective user cybersecurity education across such a scattered environment is nearly impossible. Lack of proper training combined with insufficient access controls for third-party accounts can lead to an accidental leak, as happened in 2020 with HBO. An episode from the popular “Game of Thrones” show was mistakenly published online by a European division of HBO several days before the scheduled air date. While HBO was able to remove the leaked content, many fans had already seen and shared the episode.
The Need to Classify Data
While entertainment may be perceived as more glamorous than other industries, it shares a common thread with other industries commonly targeted by attackers: vast amounts of sensitive data. This includes personal information on a wide spectrum of individuals, from A-list celebrities to interns, as well as millions of subscribers to streaming services and fan clubs.
The first step in enhancing cybersecurity and cyber resilience is to classify and tag data. By categorizing information based on its sensitivity and importance, organizations can prioritize their security efforts and allocate resources more effectively. This process enables the implementation of appropriate access controls to ensure that sensitive data is accessible only to authorized personnel.
Labeling data manually, however, is highly prone to human error and not scalable for the vast volumes of data kept by entities in the entertainment industry. To ensure consistent, accurate and timely labeling, organizations need automated data discovery and classification.
Access Control Strategies
Every digital organization today needs an identity access management strategy. This strategy should center on enforcing the least privilege principle to ensure that each user can access only the resources essential for their job functions. The process begins with a thorough audit to identify and classify existing data. A data access governance (DAG) initiative then ensures the protection of sensitive information by controlling and monitoring access. A data loss prevention (DLP) system should also be put in place to ensure that personally identifiable information (PII) is not shared outside of the corporate network.
One of the most significant challenges is managing and monitoring privileged accounts with elevated permissions. To address this, many organizations are implementing a modern privileged access management (PAM) system that provides just-in-time, just-enough access for privileged tasks. The temporary accounts are automatically removed upon task completion, significantly reducing the risk window associated with powerful credentials.
Other Organizations Can Relate
While most organizations may not bask in Hollywood’s glamour, their IT and security teams face the same fundamental challenge: securing and protecting valuable data. Whether one walks the red carpet or works behind a desk, the need for cybersecurity awareness is universal, so organizations across all sectors must prioritize educating their users and stakeholders about this critical endeavor. Similarly, data classification, DAG, DLP and PAM can help any organization improve its security posture and thereby avoid costly financial losses and lasting reputation damage, just as these core best practices help entities in the entertainment industry. After all, there are some things that you don’t want to draw attention to yourself for.
About the Author
Craig Riddell is an award-winning information security leader specializing in identity and access management. In his role as Field CISO, North America at Netwrix, he leverages his broad expertise in modernizing identity solutions, including experience with privileged access management, zero standing privilege and the Zero Trust security model. Prior to joining Netwrix, Craig held leadership roles at HP and Trend Micro. He holds both CISSP and Certified Ethical Hacker certifications. Craig can be reached online at LinkedIn and at www.netwrix.com.
