Security Expert Offers 5 Tips to Prevent a Studio Hack
Adam K. Levin, founder of IDT911, shares his strategy for avoiding Sony's fate
A version of this story first appeared in the Dec. 12 issue of The Hollywood Reporter magazine.
On the off chance you just returned from a shoot on a deserted island, Sony Pictures got hacked. As I write this, the company is using Gmail to conduct business. This was no little-h hack. This was an “All your base are belong to us,” big-H hack, a system wide, full-spectrum, scorched-earth takeover. And for studio executives, it would be wise to consider it a final warning.
The people behind the attack call themselves Guardians of Peace, but it really doesn’t matter who did it. What matters is this: They did it. And they were not merely sending a message; they were delivering a bigger bomb than even the likes of Ed Wood could dream up. The morass was the message, and Sony now finds itself deep in it. For all those on the not-Sony side of things enjoying a moment of schadenfreude, you might want to check yourself. The real takeaway here is simple: Without a serious rewrite of the way folks at the studios think about privacy and data security, the attack on Sony will mark the prequel in a series of attacks that will make the Star Wars franchise seem like a short story by F. Scott Fitzgerald.
Depending on which report you want to believe, the Guardians of Peace got logins and passwords. Others sources reported that the theft included personally identifying information of specific talent, details on specific deals — even to-the-penny payouts. Still other reports say the inboxes of every employee were grabbed. News over the weekend included the possibility that PDFs of passports belonging to Angelina Jolie and Cameron Diaz came from the same hack as well as DVD-quality files of new and unreleased movies that were leaked online. Among those loosed into the world, Brad Pitt’s Fury and still-unreleased selections including Still Alice, Annie and Mr. Turner.
The Sony hack was neither containable nor finite. The information leaked could have repercussions that go way beyond the revenue lost on movie sales. Imagine if you’re an agent negotiating the next big A-Lister contract. Now you can say, “We saw everything that so-and-so got. The whole world did. We want double.”
Read more Sony Hack: FBI Confirms Investigation
The origin of the Sony hack has been a topic of much speculation, especially on Reddit. While those occupying the spectrum of knowing and not-knowing argue about that — no doubt the odds are rising at Ladbroke’s that North Korea was retaliating for The Interview, which features an assassination plot against Kim Jong Un — there is a simple fact that needs to be addressed: There will be many more attacks.
Here are five non-negotiables for entertainment companies in the age of the super hack:
1. STAFF UP
Having a chief technology officer is not enough. You must have a chief information-security officer who can implement and oversee the efficacy of security programs like threat monitoring and insider threat detection. An IT department does not play the same role. You need an information-security department as well.
Install and continually update the most sophisticated security software available and continuously monitor for vulnerabilities and weaknesses in software, hardware and network configurations.
No matter how well you think your organization is protected, arrange for regular external security assessments performed by a trusted security firm.
Insist upon seeing regular reports on your company’s security metrics. Make sure all executive leadership know about it, and that the information is communicated to the board, because their necks are on the line too.
Continually train all employees on security and privacy issues. Since people are often the weakest link when it comes to security, have a zero-tolerance policy.
The attack on Sony was not a “Have your people talk to my people’’ bump in the road. It is a Paul Revere moment for entertainment companies. From the boardroom to the mailroom, it’s time for hands-on data security policies and practices. The way you protect your assets — both data and product — has to be sewn into the fabric of your corporate culture. There’s no other option available. It’s either do or … Good Night, and Good Luck.
Adam K. Levin is an expert in security and privacy and the founder of IDT911.