Myth Busting Cybersecurity: What Arthouse Venues Need to Know • Arthouse Cinema Hub

In an everchanging technology landscape, the topic of cybersecurity can be extremely daunting. We all know that we need to secure our systems, safeguard copyright and protect our data, but how can independent venues keep ahead of the fast-moving world of digital scammers? With so many other issues to deal with on a daily basis, how can we build keeping informed into our work flow? And how can we make sure that busy staff are aware of the importance of digital safety alongside their other responsibilities?

These questions came up in a recent CICAE Arthouse Cinema Meet focusing on cybersecurity. The session was led by two experts well-versed in the intersection between cinema and technology: Cathy Huis in't veld-Esser, CTO and co-owner of digital logistics company Gofilex, and Barry de Bruin, director IT and VOD platforms at Pathé Netherlands. During an informative online gathering, Huis in't veld-Esser and de Bruin shared best practice tips, demystified the tech jargon, and busted misconceptions about digital safety in venues.

Below we’ve highlighted some of the key takeaways from the session.

First, let’s talk about the scale of the problem. As Huis in't veld-Esser emphasises, cybersecurity is not simply the responsibility of your technician or IT department. “You, as a cinema, depend on many connected systems every day,” she says. “You have ticketing, plus scheduling, customer data, payment systems, digital signings, projections, Wi-Fi, email, and many suppliers. If one of these systems goes down, you, your staff, and audiences will feel it immediately. So, my view is practical. How can we help you, cinema operators, reduce the risk, in a realistic way? “

De Bruin is similarly unequivocal about the stakes we’re working. “We try to invest a lot in IT security, and also in awareness among our staff to make sure that they are aware of the risks we run today,” says de Bruin. “It's even getting faster especially now with all the AI tooling and solutions that are available. It's happening every day, and that’s very scary. I think it's very clear in the memo… [a cyber-attack] can happen to all of us, and you have to be prepared.”

Smaller operations are by no means immune to these risks. “Hackers probably pay more attention to and prioritise bigger companies… But it’s always a risk, also for smaller companies,” De Bruin explains. In fact, while bigger companies might be more visible, small companies are often easier to attack, and with fewer resources, the impact of a cyber-attack can be particularly devastating. “If you look at a ransomware attack, it can happen to all of us. If your systems are held hostage and you have to pay a ransom, it will have a business impact.”

Those risks are multiplied in a post-COVID world, with more people working from home or offsite, and with the widespread use of AI and bots. Hackers can also be extremely resourceful, searching social media or even calling venues, to get hold of personal information and guess passwords. In this context, Huis in't veld-Esser emphasises the importance of using complicated passwords, and ensuring that different ones are used on every site. To improve security around remote working, de Bruin recommends using multi-factor authentication (MFA) wherever possible, via an app such as Google Authenticator.

Tackling the issue of cybersecurity can feel overwhelming, especially for small organisations. However, taking time to assess your systems and look at where current security measures are lacking can pay dividends in the long term.

“We try with our own staff and partners to identify weak spots and possible threats,” says de Bruin. “It can be that we have to put up firewalls, or extra security layers in our network so we can monitor traffic and behaviour.” If you have a lot of remote staff, a priority might be training staff to work safely from home, or if you have a busy website it might be about checking that your website is well secured against hostile traffic. Ensuring that all your terminals, kiosks and workspaces are fitted with endpoint security (e.g. programmes such as CrowdStrike or Microsoft Defender) is a bare minimum for most venues. Supply chain vulnerabilities can also provide entry points for criminals, so it’s important to think about how you share information and communicate externally – with suppliers and providers – as well as internally within your venue.

Cybercrime is constantly evolving, so it’s vital to keep on top of developments and keep your staff informed about new trends amongst scammers. This is even more relevant now given the increased use of new technologies. Huis in't veld-Esser for instance, flags a huge increase in recent months of attacks from bots attempting to hack cinemas.

It’s also important to be aware of techniques, such as cloning email addresses and invoices, which can make otherwise simplistic scams more effective. Phishing – the technique of sending messages with the intent of getting hold of sensitive information – remains another key vulnerability for many venues. De Bruin runs quarterly simulations to test if colleagues are aware of the risks, as even basic security measures can be forgotten in the rush of a busy shift.

Simple physical precautions, such as avoiding unknown USB sticks and restricting access to projection booths and server room, are simple, commonsense precautions. Keeping cybersecurity as a standing point in team meetings might also be useful. Ultimately, keeping your venue safe is an ongoing process, not a quick fix, and continually reminding your team of the basics can make a big difference.

The good news is that you don’t need a huge amount of resources to improve the safety of your venue. “Even with a low budget, you already do a lot, especially in the awareness area,” explains de Bruin. He advises making sure that best practice is embedded from the start with new staff. “Part of our onboarding phase is also to make [new staff members] aware of IT security, so we have a small booklet, with very user-friendly wording and language and the dos and don’ts.” Another meaningful starting point is making an emergency plan, so that everyone knows what to do in case the venue is attacked. This might include contact for suppliers, partners and colleagues, as well as a clear sequence of action and details of who should be contacted first in the case of a breach. De Bruin advises printing this out and having physical copies available and easy to find for staff, in case it is no longer possible to access online systems.

While arthouse cinemas will share many challenges, ultimately you’re operating in your own unique set of circumstances. Working out what those circumstances are, how they affect digital security and what is practically possible for you, is the most efficient way to work out where to direct your energy.

To learn more about cybersecurity, and for a guide to the basics, you can also read this article which introduces some simple best practice principles of cybersecurity.