Joseph Sukhbir, EMI Music spoke at the CIO Event (dot) com

1. JOSEPH G. SUKHBIR
Security Awareness in an
Unregulated Environment

2. or – how to engage with creative people on security
• We sometimes operate in our own bubbles and get invested in a
technical language that only those in the know speak.
• When an average user hears this they ‘switch off’.
• We also rely on technical solutions to protect what we sometimes see
as un-cooperative users who won’t understand the complex concepts of
information security.
• In a creative company these end users are very technologically literate
and are highly skilled using their particular suite of applications.
• But user awareness has always been one of the best security tools that
has been available

3. TOPIC:
• Security Awareness in an Unregulated Environment – or – how to engage with creative people on security.
SYNOPSIS
• As security professionals we sometimes think that technical solutions will solve our problems, and we
forget about the users.
• One of the most effective tools for information security has always been user awareness.
• Working in a creative environment, with technologically literate, creative users can be challenging. Always
speak at their Level. Traditional user awareness will not work on these users as they will perceive it as if
you are talking down to them.
• Overcoming technological challenges in securing artist content.
• Combining best practise into a positively worded message. I will talk about the user awareness that I
conduct with these users.
• How do we market security to key stakeholders to empower them to protect the company and
themselves. Both internal and external partners. Scenario based, rather than concrete instructions.

4. CREATIVE AWARENESS
• So how do you engage with people without them switching
off.
• Make friends with you marketing/corporate comms
department.
• Use lots of pictures
• Use real world examples.
• Refer to items that have been in the news recently.
• Stay on topic, but keep it topical.

5. SECURING ARTIST CONTENT
• Obfuscate names of content. All files created or modified should be registered under a fake name. NO reference to the
artists or project should be made at any point.
• Keep new projects confidential
– MIXES, MASTERS, PARTS, STEMS, and WORK IN PROGRESS are all extremely valuable, and highly sought after in the piracy world.
– Access is limited to only those who need to work on the project. NO ONE else has access, there are no exceptions.
– Artists are advised not to send anything to anyone not involved in the project, at any stage.
– Session file access should be limited to you and those working directly on the project.
• There will come a time when files need to be transferred:
– EMI Music provides secure methods to store, share and work on projects (such as a secure FTP server).
– Artists are advised to not use insecure (free) “Cloud” based services such as You Send It, Sound Cloud, Rapid Share, iCloud.
– In an emergency, some paid for secure storage services (such as box.com or huddle.com) can be used IF: (1) the service is password
protected, (2) the password is not communicated via email under any circumstances, (3) the password is changed immediately before and
after delivery and (4) the file is deleted from the service following delivery.
• When using multiple working environments, i.e. a different studio to mix and track in, make sure all session files are
deleted from any scratch discs at the end of the session and the computer's trash/recycling folder is emptied.

6. Message to artists
• Positively worded
– Artists are high profile targets of hackers. Attacks range from black mail to false allegations based on skewed morality of hackers. Stalker and scammers also target artists.
• There have been a large number of high profile early leaks of songs and unreleased music from big acts, which we believe have been the result of professional
hackers and scammers who are targeting studios, artist, producers, managers and labels.
• A number of the leaks have been hacked directly from an artist's or producer's own computer. We have confirmed that one of the hackers utilised an insecure
Wi-Fi connection and gathered content as it was being transferred across the network.
• 3 things to do IMMEDIATELY if they have believe they have been compromised.
– Call management and EMI representative
– Call their bank
– Call law enforcement
• Artists use their own computer hardware and software so we have no corporate control over these machines. The best we can do is provide a list of best
practices such as:
– Device encryption.
– Anti-malware
– Passwords
– Beware of phishing email
– Check privacy settings
– Social networking (see below)
– Mobile devices (see below)

7. SOCIAL NETWORKING
• Social networks remain one of the best ways to engage with fans, but as
in real life, internet based social networks pose certain risks. EMI
encourages their safe use both by artists and artist management.
• Keep your public and private lives separate. Keep personal information
like home addresses, phone numbers, club cards, credit card
information, personal email addresses, off public sites.
• Switch off location information on social posts. Location information, on
some services, is switched on by default. This can allow fans, press and
stalkers to pinpoint your location.

8. Mobile devices
• Mobile devices include smart phones and tablets, such as the
iPhone and iPad. As mobile devices become more powerful they
can hold more original, personal and pre-release content. As
personal computers and laptops have been, and continue to be
targets, so mobile devices will become targets.
• Make sure that your mobile device has the option to remote
wipe the device enabled.
• Encrypt data on the device.