With so much media production now taking place digitally, it’s easy to lose sight of the analog assets that need protection. Unattended scripts, expensive equipment, or devices uploaded with proprietary material can all pose serious risks in the wrong hands.
Physical assets like costumes, props, paper documents, and computer equipment also have value greater than just the cost of their replacement. Often, items unique to a production have no substitute, and hardware like tablets or phones could allow catastrophic access to confidential financial data, intellectual property, or personal images and correspondence.
Productions often contract out their security, both on-set guards and consultants who develop security plans that establish guidelines for protecting assets. While they can play an important role, outside contractors often lack a core production team’s deep understanding of any particular project. And until recently, each contractor implemented their own set of standards, leaving personnel scrambling to adjust to different protocols for each project.
New guidelines released by the entertainment industry’s Content Delivery and Security Association’s (CDSA) Production Security Working Group strive to correct these issues by creating a set of security standards that can be implemented across the industry. The standards develop an important baseline of best practices designed to address both digital and physical assets. Rather than tackling new protocols for each project, film and video professionals — including security contractors — can now share expectations adaptable to many different creative contexts.
While public awareness of cybercrime is rising, people often forget the connections between the physical and virtual environments.
Lulu Zezza, production security advisor and co-chair of the CDSA’s Production Security Working Group, describes physical security and cybersecurity as mirror images of one another. For example, physical walls and virtual firewalls both protect important assets, while key cards and digital user names and passwords ensure only authorized personnel can enter those spaces.
“Many businesses find cybersecurity daunting because they cannot physically see the assets they are protecting,” she says. “In some cases, cyber solutions are designed based on ancient solutions: Air gapping — isolating data assets from networks and the Internet — is equivalent to building a moat around a castle. By drawing the direct parallels to their physical security, they can develop checklists and plans that are understandable.”
At the same time, brick-and-mortar and digital security often overlap. Think, for instance, how network ports are physical points of entry to virtual settings. And allowing someone on set or to an edit bay often means giving them access to networks and hardware. Understanding these points of connection can go a long way toward developing an effective plan.
The dynamic nature of film and video production can make securing a physical environment especially challenging. Multiple locations, erratic schedules, and constantly changing personnel rosters make it especially hard to plan for vulnerabilities. Superfans and a curious general public add another layer of complications; some may try to sneak on set, for example.
Taking steps in advance can thus guard against unwanted outcomes. Take a look at the helpful recommendations below that the CDSA guidelines call out and feel free to adapt them to suit your production needs.
Good security begins before a production gets started. Draft a list of key assets with a plan to keep each one safe. Do background and/or reference checks on everyone who will be allowed on site. When choosing a location, take note of areas like shared hallways where it might be hard to prevent unauthorized access. Make sure contracts with third-party vendors such as cleaners or VFX companies include an agreement to follow security protocols.
Decide your site perimeter and identify vulnerable areas, like windows, doors, or breaks in fencing that require additional attention. See if there are any areas you want to restrict and establish secure internal barriers between them and less restricted areas. Secure all points of digital entry including network ports.
A production’s security is only as strong as its most vulnerable component. Be sure everyone involved in the production — including contractors — knows your security policies and procedures before you give them access to assets and secure locations. Identify people responsible for crucial aspects of the production — sound, videography, dailies — and provide them with in-depth training so they can be a security resource and point person for their team.
The more keys to your site, the more possibilities that the wrong person will gain access. Limit the number of site keys in circulation and keep master keys and unassigned keys in a secure location. If a key is lost or stolen, treat it as a security incident and change the locks. When possible, use automatic locking devices to prevent against someone dashing out and forgetting to lock the door behind them. Keep all unattended doors and windows locked at all times. If an entrance requires a key-card swipe, don’t try to be polite by holding the door for the person behind you; let them swipe themselves in to leave an accurate record of entry.
It’s important to know at a glance who should be where. Everyone associated with a production should wear identification clearly marked with their level of access (red for visitors, green for full access, or a picture of a camera for a person authorized to film on site, for example). Make sure to regularly update the current list of site-authorized employees. Visitors should always be accompanied. Keep a daily site log with check-in and check-out times. If something happens, the log will be a starting point for an investigation.
Establish lock-ups, vaults, or safes for restricted objects and put them in areas that are easy to secure and in clear view of work areas. Never put a vault or lock-up in an unattended, out-of-the-way location.
Personal phones, tablets, or computers can easily transport confidential material, particularly sensitive creative information or other restricted data. Prohibit the use of personal devices on site and require people to declare any devices they bring in. Lock the devices in a secure location if possible.
Designate a limited number of individuals to share responsibility for sensitive security information, including access to keys, passcodes, and lock-ups. Never give just one person direct control over assets. Whenever possible, create a follow-up check by a second person for certain assets and access. Make sure responsibility and accountability are shared.