How To Protect Your Film & TV Production Company. Security Tips.

It’s no secret that cyberattacks have escalated in frequency and severity across a broad spectrum of industries. IBM’s much-referenced Cost of a Data Breach report for 2022 indicates that more than 80 percent of all companies will at some point suffer a data breach.

The average cost of a data breach for a U.S. company, according to that same report? $9.44 million.

And the media industry is no exception. First, there was the Sony Pictures hack in 2014. Then Netflix and HBO got hit in 2017. Cox Media Group, which works with major U.S. broadcasters such as NBC and CBS, and video game developer CD Projekt Red suffered ransomware attacks last year.

Any organization hosting prerelease and other valuable content is a potential target for data breaches, data exfiltration, ransomware, and other cyberattacks. And the cost to a production company’s reputation in the event of a breach can be devastating.

With that, here are some tips and film & tv production security guidelines to consider for your next production.

Physical Production Security

Film production security should include physical security elements common in other facilities housing valuable intellectual property (IP). These typically include a secure facility requiring key fobs or badges for access, CCTV cameras, and strict rules about bringing external hardware or mobile devices inside.

According to the CDSA, specific elements of physical production security include:

1. Secure perimeters

Your secure perimeter should have multiple layers of protection, including closed-circuit television (CCTV) cameras, automated access control and key fobs/badges, and well-defined visitor procedures.

Security guards may make sense depending on the level of risk, but they must meet security requirements for third parties. A perimeter intrusion detection system (PIDS) can detect perimeter breaches.

2. Well-defined roles and responsibilities

While all employees should understand security procedures relevant to their jobs through security awareness training, production facilities should appoint a trusted team with relevant skills and knowledge for overall content security.

Each department should also have one person responsible for security policy and procedures. Document their (and others’) roles and responsibilities.

3. Trust, but verify (your employees and contractors)

Run background checks on all employees and third-party contractors, including proof of identity, employment and personal references, and professional qualifications checks.

Third-party companies should provide contractual guarantees around their level of security training and policies. Be sure to highlight security requirements in employee and third-party contracts.

4. Secure internal areas

All internal zones with access to the production environment and IP storage must be further physically protected by monitoring and restricting access. All assets within the production office, such as scripts, drives, and camera cards, must be securely stored and ideally monitored via CCTV.

Keep detailed access logs around who accessed which media and when.

5. Secure devices

All personal and mobile devices (from mobile phones to laptops) must be protected with strong passwords and remote tracking software and locked in a vault, safe, or filing cabinet.

Asset Management Production Security (Who Has Access to What and When)

The Content Delivery & Security Association (CDSA) lists asset-related film and TV production security guidelines to build upon the above for film production security. These include:

1. Asset management systems

Production facilities must implement a transparent asset management process that includes an auditable content chain of custody, along with a register for documenting media creation/registration, location, movements, and destruction.

All content destruction and recycling of assets must be documented, including a certificate of destruction if done by a third party, and should follow National Institute of Standards and Technology (NIST) media sanitization standards (SP 800-88) best practices.

2. Non-disclosure agreements (NDAs)

All production staff and contractors should sign NDAs and additional agreements (if necessary) not to share internal and confidential information with others. NDAs should spell out the consequences for the unauthorized sharing of confidential information.

NDAs can be presented to potential staff and contractors during their background checks and can be incorporated directly into employment agreements.

3. Access to media

All access to safes, vaults, cabinets, and other storage areas containing sensitive information (including on-prem servers or cloud storage) or equipment must be limited to approved personnel only. Authorized personnel should have individual access codes.

Codes should be changed as people cycle through the project or organization.

4. Shipping media

Shipping media on a hard drive can be risky; it’s advised content owners send large files using secure, cloud-based large file transfer solutions. But if media is physically shipped, store all dailies content on encrypted and password-protected drives within locked cases and tamper-resistant packaging.

Don’t list project information or titles on the label, and couriers must not be able to access the media.

Couriers should have appropriate insurance and well-defined and monitored pick-up and drop-off locations.

Virtual Data Production Security (File Transfer, Encryption, Cloud Storage, etc.)

While these physical security measures are vital, the reality of cloud-based media workflows means remote security is now just as important as the physical security of your facility.

But maintaining the same air-tightness achieved by secure facilities — especially when working with remote employees, partners, or clients spread all over the world and using various applications and Wi-Fi networks — can be difficult.

New approaches, many already in development before the film industry’s remote work revolution, are now required to secure production workflows.

MovieLabs, a not-for-profit founded by major studios such as Disney, Paramount, and Warner Bros., identified six overarching security principles for modern video production within its “2030 Vision” initiative, including the concept of security by design.

Concrete steps organizations can take to fulfill these and other security best practices include:

1. Secure remote endpoints and connection points

It’s important to lock down any remote access points to your system — even those you may not be aware of (yet). As film editor Jonny Elwyn says,

“There’s no point triple-locking all your doors if you leave the window open.”

This means ensuring the security of each partner or collaborator’s Wi-Fi network and using secure applications with encryption, such as Teradici’s PC over IP (PCoIP) technology for secure virtual desktops. Organizations can also use virtual private networks (VPNs) to establish a secure connection, although it’s worth noting that VPNs have several well-documented security flaws.

Securing your remote connections also means ensuring employees and collaborators are always sensitive to what they share on remote collaboration applications such as Slack or Google Meet.

Any files transferred using IP-based methods should use a secure file sharing solution.

Remote hardware, as well, must be secured — especially in the age of bring-your-own-device (BYOD) and the proliferation of personal devices used for remote work. You can mitigate this risk through security training and by ensuring your collaborators have up-to-date endpoint protection software, or by using secure virtual desktop infrastructure.

2. Implement a Zero Trust security framework

Zero trust security frameworks eschews traditional perimeter-based IT security models, which by default trust every user once they’ve made it inside the perimeter. This approach gives users access to only the resources, applications, or data they need – and nothing more.

That means that even if they penetrate a system’s first line of defence, attackers don’t have the freedom to roam around and are constantly challenged — even when inside your system — if they try to access additional resources.

Zero trust architectures typically include automated network monitoring for real-time security alerts. They also feature multi-factor authentication (MFA) and other identification and access management controls, such as device authentication and constant verification of all access subjects (whether it’s a person, device, or application).

3. Watermark, encrypt, and track your media

Visible and invisible watermarking of each piece of media isn’t a new security concept by any means, but it’s still valuable.

Watermarking or file fingerprinting can be invaluable if someone steals or leaks your media or you need to conduct a forensic analysis.

You should also track the movement of each piece of media through your and others’ systems through chain-of-custody software, which tracks the location of an item, every other location it has resided since creation/collection, and any changes made to it along the way.

Without a strong chain of custody, it’s much more difficult to figure out what happened should your assets be misplaced or accessed by unauthorized individuals.

Finally, ensure you encrypt your media both in-flight and at-rest, preferably with strong encryption such as Advanced Encryption Standard (AES) 256 or Transport Layer Security (TLS).

4. Conduct regular, ongoing security awareness training

Every IT security expert will tell you that people are usually the weakest link in the IT security chain. Even though we all like to think we’re not, people are generally susceptible to social engineering-style attacks such as phishing, spear phishing, baiting, and scareware.

That’s why regular security awareness training to keep best practices in mind and educate users about emerging threats is a must for any organization. But it’s often not enough to have a one-hour session yearly, either. Try to choose a security awareness solution that includes regular training and testing for collaborators throughout the year.

5. Conduct regular, ongoing threat assessments

Threat assessments (TAs) are an age-old IT security practice that has never gone out of style. That’s because performing a TA helps identify gaps in your current security posture before bad actors do.

Running regular, ongoing TAs and vulnerability scans helps ensure your current measures are effective while helping you make more informed choices around security, expense, and performance.

Those in the media and entertainment space can get a third-party TA through the Motion Picture Association’s Trusted Partner Network (TPN) — MASV did this last year and received Gold Shield Status — which evaluates your system to ensure you’re up to date on cybersecurity best practices and requirements.

Security Considerations for Different Stages of Production (Pre, Principal, and Post)

Now that you have a better idea of the different forms of film production security, here’s a quick snapshot of how it applies to the various stages of production:

Pre-Production

• Assess risks associated with shooting locations. For example, are you shooting in a large public space? Can bystanders record your production?
• Complete background checks on staff; source vendors with appropriate security measures in place and/or certifications.
• Use secure and encrypted cloud tools when sharing/reviewing assets (storyboards, previs footage, etc.)
• Manage permissions and tracking of frequently shared assets like scripts; embed watermarks to create a chain of custody.

Production

• Hire security to direct the flow of traffic among people on-set; install CCTV and fobs to monitor activity.
• Define specific roles and responsibilities for everyone on staff; only provide access to key assets/locations to those who need it.
• Require everyone on-set to go through security training to reduce probability of risk.
• Implement a closed Wi-Fi network and create locked spaces for staff to secure their devices.
• Don’t leave production hardware unattended like on-site RAID storage, camera cards, DIT rigs, and playback monitors.
• If shipping media from site, make sure it’s with a reputable shipping company, purchase loss/damage insurance, and keep a detailed log of shipping information (bill of lading, drop-off location, delivery date, etc.)
• Use a secure, encrypted file transfer solution when sharing files (to post production teams, for review and approval, etc.).
• Use a file transfer solution capable of sending large files to avoid file splitting (reduce the amount of files floating around).

Post-Production

• Ensure everyone on staff has gone through security training.
• Keep a record of the number of people on staff and their devices; designate a specific room/device for use on a specific project (e.g. a single room for color grading, with limited access to room).
• Secure access to post production facility and key areas (e.g. server room, etc.).
• If employees are remote, take account of their physical security situation (how many people share their space, are devices password-protected, etc.).
• Establish rules of what can and cannot be discussed over virtual meetings.
• Limit the use of remote software like a VPN or virtual desktops.
• Source cloud tools with certified security certifications like ISO 27001. Seek out tools with niche industry accreditations like the Trusted Partner Network assessment for media and entertainment.
• Use a secure file transfer solution — encryption in-flight and at-rest — when sharing files.
• Use a file transfer solution that has security controls like user permissions, file download limits, and file expiry dates.
• Use a file transfer solution capable of sending large files to avoid file splitting (reduce the amount of files floating around).
• If shipping media, make sure it’s with a reputable company, purchase insurance, and keep a detailed log of shipping information (bill of lading, drop-off location, delivery date, etc.).

What to Do if Something Goes Wrong?

Even organizations that take every security precaution possible must acknowledge that the unthinkable – a data breach – is just one mistake away. Organizations must have security breach plans in place to limit the damage of any disruptions, including the following:

• Incident reviews: Review all incidents to identify potential perimeter or procedural weaknesses and update security measures and training based on what happened. Scrutinize the specifics of the breach (including the Five Ws) to determine what must be corrected.
• Log reviews: Regular reviews of access logs around restricted areas or storage can help identify abnormal behavior when it occurs. Log reviews are a must in case of a breach, but regular and ongoing reviews can also reduce damages by catching incidents sooner.
• Anonymous reporting: Staff and contractors should have access to a vehicle (phone number, email, etc.) for anonymously reporting potential security breaches.
• Incident response: Follow a well-choreographed procedure if assets are compromised, including alerting the appropriate stakeholders and law enforcement (if necessary).
• Insurance: Hope for the best and plan for the worst, as the saying goes. Get a good production insurance policy (which you may need anyway to even get contracts with some studios) just in case.

How MASV Helps Secure Film Production (The File Transfer Part, Anyway)

While MASV can’t secure your entire production workflow, it’s an absolute star at keeping your file transfers locked up tight.

That’s because MASV is an ISO 27001-certified, TPN-verified enterprise-grade large file transfer service built for post-production and other video professionals.

That’s because MASV is an ISO 27001-certified, TPN-verified enterprise-grade large file transfer service built for post-production and other video professionals.

MASV’s extensive cybersecurity posture includes:

• In-flight and at-rest encryption of all media through TLS 1.2 and AES-256.
• Automatic malware and virus scanning of every media upload.
• Password protection on uploads and downloads.
• Multi-factor authentication (MFA), which offers greater protection by asking for additional credentials (not just a login and password). For even stronger security and convenience you can combine MFA with SAML-based Single Sign-On (SSO).
• Team alerts whenever an internal admin attempts to log into the MASV system. All admin log-in attempts require MFA, crypto keys, or token-based authentication to maintain proper access control.
• Regular, ongoing vulnerability scanning and threat assessments.
• Precise file delivery tracking for chain-of-custody requirements.
• Strict access controls like set download limits and file expiry dates.

Because MASV is based on the AWS cloud platform, it also piggybacks on AWS’s cloud-based and on-premises security protocols.

Ready to get started? Sign up today and transfer using MASV. We’ll throw in 20GBs for free to get you up and running.