Raising the security bar around ‘content’

Rapid digitization, increased connectivity, new content delivery platforms and the consumption of on-demand video content have unlocked exponential value in the media and entertainment (M&E) industry. However, it has also become vulnerable to various risks including digital fraud, cyber breaches, phishing, spoofing, information leaks (including unreleased media content and original programming), data privacy, illegal streaming, piracy and IP infringement. 

Cases of data leaks have raised questions on the current level of security and even inadequacy of frameworks in place to protect sensitive and proprietary information. If such information is stolen or exposed, it can have catastrophic implications beyond just financial losses.

This information includes exclusive or original content, personal identifiable information of customers, customer banking or credit card data, legal documents or contract terms, pending patents, research data, expansion plans, financial reports and employee data and compensation details.

The threat is coming

With original and creative content turning out to be a core differentiator, the protection of digital assets in the M&E industry today is more crucial than ever before. Data security and data protection have emerged as a priority, amplified by a regulatory push to enhance privacy and fight data theft and piracy. A rise in subscription-based models have led to many M&E companies storing the personal information (including banking details) of customers. In such scenarios, companies would be bound by data privacy laws such as General Data Protection Regulation (GDPR).

The M&E industry needs to take note of risks stemming from both internal and external sources. Insider threats have been on the rise with employees sharing information willingly (or sometimes unsuspectingly) over public platforms or with competitors. Employees also tend to share passwords or lose devices with company information, which can also lead to data theft.

Companies are becoming increasingly interconnected and there is rapid exchange of information, which makes many employees privy to confidential and proprietary matters. The M&E industry also sees content pass through multiple third parties — producers, distributors and marketing, advertising, or digital agencies — for higher penetration across geographies and maximum returns. Chinks in this chain can also potentially lead to misuse or loss of information. While most regions have banned peer-to-peer sharing websites, many mobile app stores still have ways to access pirated content.

Risk “Morghulis”? 

Valyrian phrases aside, the reality is that risks related to information leaks, cyber and digital frauds cannot “die.” However, the M&E industry can move toward instituting an integrated risk management framework and safeguarding digital assets. A robust risk management program can be a kill switch, instrumental in chalking out a structured plan of action, educating all stakeholders and mitigating risks.

The robust risk management program may encapsulate: 

-Educating employees on the need to protect confidential and proprietary information, avoid sharing of passwords and know the consequences of breach of confidentiality through regular training and awareness campaigns

-Instituting periodic monitoring of the network, computers and laptops to track any unusual changes to the existing information systems or detect suspicious behavior. This may be particularly important for employees holding decision making or high-risk positions and those having access to confidential documents or materials

-Patching systems with updated software to plug any gaps that could be exploited

-Using computer forensics (for instance, in case of an employee transfer or exit) to uncover any cases of file tampering and trace if any files were accessed, deleted or modified, or if any cleaning tools were used to wipe out data. The streaming and uploading of data should be according to pre-defined norms. Passwords and software needs to be updated on a timely basis.

-Conducting regular trainings to cover new and technical developments in the system

-Adhering to regulatory norms (under GDPR and similar laws) to minimize any non-compliance

-Setting up internal control frameworks to help identify any fraud at an early stage

-Using virtual private connection (VPN) to encrypt web-browsing and other online activities

-Conducting due-diligence on third-party vendors regularly, not just during on-boarding, to deter third-party risks

Gearing up for a show-stopping and compliant future 

According to a joint report by EY and FICCI in 2018, the Indian M&E industry reached Rs1.67 trillion in 2018, a growth of approx. 13.4% over 2017. With its current trajectory, it is expected to cross Rs2.35 trillion by 2021, at a CAGR of 12%. With the industry thriving and scaling up significantly, the risks can also magnify. Content consumption will continue to soar but so will cyber and digital threats. Therefore, it is prudent to find the right balance between creativity and compliance. Internal checks and controls, employee awareness, technology upgrades and due diligence can become strong deterrents against internal and external threats.

The above article is co-authored with Arpinder Singh, Emerging Markets Leader, Forensic & Integrity Services.

It has first appeared in The Economic Times – Brand Equity and can be accessed here: https://bit.ly/2E8dDIw