When it comes to security vulnerabilities and threats, you might not think about the media and entertainment industry in the same way you’d consider, say, financial services, healthcare and retail. Companies in these latter industries handle a lot of personally identifiable customer information or present potentially attractive financial targets for hackers.
From a consumer standpoint, although many people use the products and services media and entertainment companies provide, they would not necessarily be directly impacted by a major security breach.
Nevertheless, media and entertainment companies can be prime targets for attack themselves, and value-added resellers and managed services providers should keep these sectors in mind when evaluating prospective clients.
Consider the recent, widely publicized attack on Sony Pictures Entertainment (SPE). The company, in late November 2014, was hit with an attack that caused significant disruption to its operations, and called it a “brazen cyber attack.”
United States intelligence officials, after evaluating the techniques and technology used in the hack, alleged that the attack was sponsored by North Korea, which denied responsibility.
In mid-December, the company posted a message on its Web site for current and former employees and dependents, saying that after identifying the disruption, it took prompt action to contain the attack, engaged recognized security consultants and contacted law enforcement.
SPE says it learned early that month that the security of certain personally identifiable information about its current and former employees, and their dependents who participated in SPE health plans and other benefits, might have been compromised in the attack.
Among the information SPE said might have been obtained by unauthorized individuals are individuals’ names, addresses, social security numbers, driver’s license numbers, passport numbers, bank account information, credit card information for corporate travel and expenses, usernames and passwords, compensation and other employment-related information.
In addition, the company said, unauthorized individuals might have obtained Health Insurance Portability and Accountability Act (HIPAA) protected health information that employees submitted to SPE.
In other words, a whole bunch of data that people would not want falling into the wrong hands had potentially fallen into the wrong hands.
The company also began the process of notifying employees that it would be providing identity theft protection services to them and their dependents.
“SPE has continued to engage in an effort to reach out to potentially impacted individuals with notification about this situation, to offer identity protection services and to provide them with information about how to protect themselves from identity theft and other potential loss.”
Regardless of the source of the SPE hack, it shows that media and entertainment companies can be prime targets for attack, given their high level of visibility. Based on the publicity the hack caused, it shows that attacks on these types of companies can have a wide impact and garner lots of attention.
Sony is the most prominent, but by no means the only, well-known security attack victim in the industry. The New York Times reported in January 2013 that its internal network was attacked by Chinese hackers over a four month period. Around the same time, Dow Jones & Co., which publishes The Wall Street Journal, said the Journal's computer systems had been infiltrated by Chinese hackers. More recently, the Twitter account of the New York Post was hacked.
Media companies can be prime targets of “hacktivism,” where attackers break into systems or networks as part of an effort to promote a political agenda. This can apply to both traditional media organizations such as broadcast companies and publishers, as well as social media sites such as Twitter and Facebook.
In a report produced by consulting firm PwC, along with CIO and CSO magazines, entitled “The Global State of Information Security Survey 2015,” nearly one quarter of the media and entertainment companies surveyed (23%) said they had detected 50 or more security incidents in the past 12 months.
The study surveyed 9,700 business and technology executives worldwide from March to May 2014. The most commonly suspected sources of the incidents were former and current employees, followed by competitors and hackers.
The most common impact of the incidents cited by media and entertainment companies was the compromise of employee records, followed by theft of soft intellectual property, compromise of customer records, and compromise of personally identifiable information of customers or business partners.
A key question for companies in the industry is, do they have the technology in place to detect hacks, malware, advanced persistent threats and other security incidents quickly enough to prevent significant damage? And if not, why not?
Clearly the SPE hack has opened a lot of eyes to the possibility of such attacks, and this is where VARs and MSPs can step-in to help companies strengthen their security posture.