When you’re in the business of entertaining or informing the public, controlling information is key. Everything you do is scrutinized, and there are always people who are keen to hear the latest gossip, or get a behind the scenes glimpse of what you’re working on. Yet outside of journalism, media companies rarely invest in Data Loss Prevention (DLP) solutions to protect themselves from unintentional leaks and disclosures. Here’s how to use DLP security to protect your organization.
What is Data Loss Prevention?
Data loss prevention is a set of rules to prevent users in your organization from leaking valuable or sensitive information, and the tools used to enforce those rules. DLP solutions scan email and messaging apps, productivity software, or other applications to detect user actions that might breach your enterprise data security policies.
For example, a television studio might create rules restricting who workers can send files to, or scan emails for specific words or phrases relating to an upcoming show or its stars, in order to prevent anyone from leaking IP. If the DLP filter detected a potential breach of a rule, it would take one or more actions to prevent it, such as warning the user, alerting a supervisor, or removing the attachment.
Why Media Needs DLP Solutions
Media companies have a range of security and compliance requirements that warrant DLP. Like other industries, they’re legally required to protect Personally Identifiable Information, such as employee account numbers, social security numbers, and medical records. Additionally, contracts may have non-disclosure agreements or other aspects that should be protected by DLP solutions.
Many media companies also have compelling, industry-specific data loss protection use cases due to intricate, carefully controlled release schedules that are crucial to successful marketing and ROI. If information is leaked on a project still in development, it can jeopardize that release schedule, and take attention away from other projects, creating harm on multiple fronts.
With certain media activities, such as documentaries and news, leaks can put subjects, sources, filmmakers, or reporters in danger. But even if you’re just making entertainment, having the wrong information get out can harm your personnel, business relationships, and organization — as we saw with the Sony email hack.
The media industry is high profile by its very nature, and the public is always eager to dig up the dirt and gossip. DLP solutions can prevent a poorly thought out email or a stray click from turning into a PR nightmare for your talent and your organization.
Data Loss Prevention Solutions For the Media Industry
1. Focus on DLP Solutions Where They Do the Most Good — Email
Modern messaging tools make it really easy to share information, which means they make it really easy to accidentally share the wrong information. Email is probably not the only messaging tool your organization uses, but it’s the most versatile one. You can use it to communicate with anyone on any device, share documents and files, and easily integrate messaging with productivity and file storage (like with G Suite).
This makes it the ideal place to deploy a DLP solution. Organizations should initially focus on email DLP, and train workers to use email for sensitive conversations so that they don’t bypass the DLP rules.
2. Start Your Data Loss Prevention Policy With Encryption
Mistakes expose sensitive data occasionally, but unencrypted emails and messages are always at risk. Without encryption, hackers can easily intercept and read your messages in transit. Things have gotten safer, with most major email providers using TLS encryption — but TLS only works if every server your message travels through supports it, and is configured correctly — otherwise the message is sent unencrypted, or with weak, hackable encryption.
Virtru provides client-side encryption which doesn’t depend on the servers your message travels through, so it stays encrypted across its whole journey. With Virtru DLP, you can setup rules to automatically encrypt sensitive messages, so they’ll be protected even when someone on your team forgets to turn on encryption.
3. Use Threat Modeling to Expand Your DLP Program
Each media company faces its own unique set of DLP threats. A movie studio trying to keep a blockbuster film under wraps will face different threats than, say, an investigative journalist trying to protect a source. Flexible DLP solutions let you meet the needs of your company, by creating or customizing your own rules.
For example, if you have a project where it’s particularly important to control the release of information, you might want to create a set of rules for those involved. You could create a list of keywords referencing the project, and trigger rules warning members to encrypt emails with those words, strip attachments sent to people outside that project, or even BCC supervisors on emails that appear to violate your DLP rules, so they can make sure your team is controlling access, and check in with workers who don’t understand the rules.
4. Iterate Your DLP Program
You can’t just plug in DLP solutions and assume they’re doing their job. Your team and partners communicate in complex ways, that you probably won’t fully understand at the start of your project. If you try to address everything at once, you’ll either miss risks, create overaggressive warnings that your workers will start to ignore, or most likely, do both.
The best approach to DLP rules is to start small. Create a pilot program to reduce risk around a particularly sensitive project — for example, a controversial documentary or a department like HR that works with highly regulated confidential business information.
Have IT work closely with that team, both to ensure they’re following the rules and to refine the rules based on feedback. Once you get some experience, expand your DLP solution into other projects or groups, using your pilot team as a resource.
5. Get Your Partners to Adopt DLP Solutions
One major DLP challenge for media companies is the sheer number of people outside your organization you do business with. Actors, freelance reporters, recording artists, special effects companies, promoters, and many other associates are outside of your organization, but all of them can compromise sensitive data just as easily as your own workers can.
To meet this challenge, you need to apply your data loss prevention policy to all the people your organization works with, and that means getting your partners to adopt their own DLP solution. One way to do this is to make DLP adoption part of your contract for certain key projects, and for areas where you’re legally obligated to protect data, such as HR.
You may want to roll this out over multiple stages. For example, you might start by requiring them to use a secure email service backed by DLP rules encrypting data involving your project, then roll out more rules as you refine your own DLP project.
DLP Solutions Let You Focus On Creating Great Media
In the media industry, controlling your image is everything. If the wrong information leaks out at the wrong time, it can alienate your colleagues, damage your properties, and cause long term harm to your brand. DLP solutions can help your organization control the release of information, allowing you to tell the story instead of being the story. Use these resources to learn more: