“The Ticketfly cyberattack is one of the first major security incidents to occur in the post-GDPR world. While the company hasn’t confirmed a breach of customer data has occurred, at face value the hacker’s claim — that he/she managed to access their database via an unpatched vulnerability or misconfiguration — is well within the realm of possibility.” — Sanjay Beri, Founder and CEO of cloud app analytics and policy firm Netskope.
Concert and sporting-event ticketing website Ticketfly was the victim of a recent cyberattack that we now know took the site offline for about a week and exposed the data of approximately 27 million accounts. Eventbrite, the San-Francisco based company that owns Ticketfly, indicated that the names, phone numbers, addresses and email addresses associated with the accounts were accessed in the hack, while financial information like credit and debit card numbers was fortunately not exposed. However, this massive security exploitation is a harsh reminder of the major vulnerabilities that exist in the Media & Entertainment (M&E) industry.
In what ways are Media & Entertainment companies most vulnerable?
As I discussed in an article last year, M&E companies are particularly susceptible to cybersecurity threats, largely due to the large number of people who are involved in content, movie and video productions. The core team is typically augmented by a plethora of experts, from those who generate special effects to the music score writers and many others, leading to a string of potential security holes for hackers to gain access to data.
As the industry becomes increasingly reliant on digital technologies to deliver products, the massive quantity of data collected is irresistible to hackers, including consumer information, production and post-production data as well as details about relationships between the company and its creative developers and distribution teams.
Furthermore, content is often their most valuable asset for M&E companies, and the theft of intellectual property can cause extraordinary losses. As the industry strives to adopt the multi-service and multi-protocol delivery of personalized content over IP to consumer-owned devices, the M&E companies must remember that while a targeted, data-driven approach provides wonderfully personalized products and business opportunities, it also increases security risks exponentially, unless proper security measures are in place.
Unfortunately, attacks on the Media & Entertainment industry are continuing to rise, and the number of incidents more than doubled over the last few years. From the infamous 2014 cyberattack on Sony Pictures Entertainment to the recent Ticketfly incident and many others in between, the M&E industry must be vigilant and highly organized in its approach to cybersecurity.
Building a reliable strategy with a holistic approach to cyber security
While it’s extremely challenging to combat hackers, hiring experts to design and maintain all systems is an excellent way to reduce security vulnerabilities. M&E companies can only stay on top of the growing cyber threats by employing a holistic approach and building a consistent cyber security strategy within the organization, capable of monitoring and mitigating issues quickly and comprehensively.
And yet, the latest AT&T report, Mind the Gap: Cybersecurity’s Big Disconnect, suggests that many “companies’ cybersecurity strategies could be raising — rather than lowering — cyber risk”. The report identifies major areas of concern that include overreliance on insurance rather than investing in prevention, overconfidence in internal capabilities, and a gap in cybersecurity awareness and training.
To innovate without increasing risks, M&E companies should do their diligence and build a multi-layered cyber security strategy.
- Ensure regular security assessments and vulnerability mitigation of all critical and sensitive systems, incl. by the third-party experts;
- Integrate cloud-enabled identity and access management to protect networks and data;
- Employ penetration testing throughout the development lifecycle;
- For mobile solutions, implement strong server-side authentication components, transport layer encryption, and automated session management;
- Utilize advanced authentication technologies;
- Invest in extensive employee training to recognize phishing emails and other malicious tools.
And last but not least — collaborate, inside and outside of your organizations. Technology alone is not enough, and contrary to popular opinion, cyber security is not just an IT issue. All M&E stakeholders, vendors and solution providers have a responsibility to battle cyber threats, making it an integral part of larger risk management and digital strategies.
Or else we’re bound to see this message yet again:
«Your Security Down Im Not Sorry»