When word got out early this week about the theft of 1.5 TB of data and Game of Thrones episodes at HBO, Forrester Research security analyst Chase Cunningham wasn’t surprised.
That’s because a few weeks before he was in Los Angeles speaking to a private meeting of entertainment industry executives on security and found them clueless about what was going on in their own companies.
Not that they didn’t realize security was an issue, he said in an interview this week, but identifying who is responsible for cyber security in the firm was vague: The replies were along the line of ‘Dave is the IT guy and he also does security, or “the network guys.” In other words, no organization present had a CSO or full-time cyber security staff tasked with overseeing the tools IT had purchased to protect precious digital assets.
Coming some three years after the huge Sony breach one might have expected Hollywood execs in particular would be more actively involved in cyber security. But Cunningham admitted he wasn’t surprised or disappointed.
After any breach corporate people always think “Oh, that’s tough for that guy, I’m glad it wasn’t me,” he said, “even though they are in the exact same boat. Folks aren’t real about it and they don’t really look at [a breach] and say ‘Oh, we have a problem collectively.”
To show how easy a determined foe can breach a company Cunningham and his team offered a free penetration test to a volunteer firm at the meeting. Admittedly this firm had weak protection – all staff had admin privileges, and any staff could plug any device into the network.
So after about four hours of a brute force attack one server and four wireless printers had been hacked, which gave access to the network. Eventually they got admin privileges for every box to get by the endpoint security.
In a blog Cunningham called it “a higher level script kiddie attack at best.”
He says any organization with a high amount of digital intellectual property should be doing for protection – in addition to ensuring someone is fully responsible for cyber security – should do includes network segmentation to control access and limit collaboration to small pools, strict access control to documents including multi-factor authentication, data encryption even if it degrades performance. And, Cunningham adds, if the CIO is going to outsource security it should go to a firm that has expertise and does it 24/7.
There are a number of enterprise file synchronization and sharing solutions for collaboration, but Cunningham is leery about cloud-based providers. Unless the solution is controlled by IT or is a cloud solution with a focus on protecting data “you’re sitting with your fingers crossed.”
One provider that claims many customers in the entertainment sector is BlackBerry with its Workspaces solution. Formerly WatchDox, it was bought by the Canadian company in 2015. In a recent blog the company said “Hollywood widely uses BlackBerry Workspaces to encrypt and protect screenplays (to prevent plot leaks and spoilers) and other intellectual property,” citing a 2015 New York Times article that said demand for WatchDox had surged from Hollywood studios that year. However, in an interview Thursday it couldn’t cite how many customers there it has now.
BlackBerry CSO Alex Manea said Workspaces is a centralized web portal ( either on premise or in the cloud) allowing administrators to set up folders to hold and manage files. Access control is usually done through the enterprise authentication process. Administrators can control who can read/write to a file. Files can also be encrypted and watermarked for protection and tracking.
But even Manea acknowledged a tough security-oriented file sharing solution isn’t the silver bullet for companies where collaboration – in any sector – is vital. “When it comes to security you’ve got to take a holistic approach. Where we see a lot of customers struggling is they end up deploying a lot of different point solutions … and they have a lot of trouble integrating them.”
Cunningham makes the same point. “I always try and push strategy over technology because you can always beat technology. But if you have a really strong strategy you’re adaptive and innovative and you can make things better. And the simplest strategy that anybody can undertake to be better defended is to figure out where the data is and then protect it above all. Because in Hollywood 100 per cent of their intellectual property is the movies and scripts. That data is their golden goose. And for everyone I talked to that said ‘We’ve got this thing doing that, and this thing’” for security. But no one at the meeting he was at could say where the company’s vital data is stored.
His message: Every organization’s first job is to protect vital data, then assemble other needed solutions.
