JOSEPH G. SUKHBIRSecurity Awareness in an Unregulated Environment

or – how to engage with creative people on security

• We sometimes operate in our own bubbles and get invested in a technical language that only those in the know speak.

• When an average user hears this they ‘switch off’.• We also rely on technical solutions to protect what we sometimes see as un-

cooperative users who won’t understand the complex concepts of information security.

• In a creative company these end users are very technologically literate and are highly skilled using their particular suite of applications.

• But user awareness has always been one of the best security tools that has been available

TOPIC:• Security Awareness in an Unregulated Environment – or – how to engage with creative people on

security. SYNOPSIS• As security professionals we sometimes think that technical solutions will solve our problems, and

we forget about the users.• One of the most effective tools for information security has always been user awareness.• Working in a creative environment, with technologically literate, creative users can be challenging.

Always speak at their Level. Traditional user awareness will not work on these users as they will perceive it as if you are talking down to them.

• Overcoming technological challenges in securing artist content.• Combining best practise into a positively worded message. I will talk about the user awareness that I

conduct with these users.• How do we market security to key stakeholders to empower them to protect the company and

themselves. Both internal and external partners. Scenario based, rather than concrete instructions.

CREATIVE AWARENESS

• So how do you engage with people without them switching off.• Make friends with you marketing/corporate comms department.• Use lots of pictures• Use real world examples.• Refer to items that have been in the news recently.• Stay on topic, but keep it topical.

SECURING ARTIST CONTENT

• Obfuscate names of content. All files created or modified should be registered under a fake name. NO reference to the artists or project should be made at any point.

• Keep new projects confidential– MIXES, MASTERS, PARTS, STEMS, and WORK IN PROGRESS are all extremely valuable, and highly sought after in the piracy

world.– Access is limited to only those who need to work on the project. NO ONE else has access, there are no exceptions.– Artists are advised not to send anything to anyone not involved in the project, at any stage.– Session file access should be limited to you and those working directly on the project.

• There will come a time when files need to be transferred:– EMI Music provides secure methods to store, share and work on projects (such as a secure FTP server). – Artists are advised to not use insecure (free) “Cloud” based services such as You Send It, Sound Cloud, Rapid Share, iCloud. – In an emergency, some paid for secure storage services (such as box.com or huddle.com) can be used IF: (1) the service is

password protected, (2) the password is not communicated via email under any circumstances, (3) the password is changed immediately before and after delivery and (4) the file is deleted from the service following delivery.

• When using multiple working environments, i.e. a different studio to mix and track in, make sure all session files are deleted from any scratch discs at the end of the session and the computer's trash/recycling folder is emptied.

Message to artists

• Positively worded– Artists are high profile targets of hackers. Attacks range from black mail to false allegations based on skewed morality of hackers. Stalker and scammers

also target artists.• There have been a large number of high profile early leaks of songs and unreleased music from big acts, which we believe have been the

result of professional hackers and scammers who are targeting studios, artist, producers, managers and labels.• A number of the leaks have been hacked directly from an artist's or producer's own computer. We have confirmed that one of the hackers

utilised an insecure Wi-Fi connection and gathered content as it was being transferred across the network.• 3 things to do IMMEDIATELY if they have believe they have been compromised.

– Call management and EMI representative– Call their bank– Call law enforcement

• Artists use their own computer hardware and software so we have no corporate control over these machines. The best we can do is provide a list of best practices such as:– Device encryption.– Anti-malware– Passwords– Beware of phishing email– Check privacy settings– Social networking (see below)– Mobile devices (see below)

SOCIAL NETWORKING

• Social networks remain one of the best ways to engage with fans, but as in real life, internet based social networks pose certain risks. EMI encourages their safe use both by artists and artist management.

• Keep your public and private lives separate. Keep personal information like home addresses, phone numbers, club cards, credit card information, personal email addresses, off public sites.

• Switch off location information on social posts. Location information, on some services, is switched on by default. This can allow fans, press and stalkers to pinpoint your location.

Mobile devices

• Mobile devices include smart phones and tablets, such as the iPhone and iPad. As mobile devices become more powerful they can hold more original, personal and pre-release content. As personal computers and laptops have been, and continue to be targets, so mobile devices will become targets.

• Make sure that your mobile device has the option to remote wipe the device enabled.

• Encrypt data on the device.