When you need to send the client the latest cut, run this week’s payroll, and get drinks with an ad agency, the last thing your production company needs is a data hack. Keeping your production company secure isn’t optional—it’s essential.
In this guide, we’ll define common challenges in data security, ways to combat these threats, and closely look at the role of human engagement within digital security.
To better protect your team, company, and clients, we’ll highlight the security measures we implement as a SOC 2 compliant payroll company as well as better practices you can follow to be more proactive.
Let’s get into it.
Much of digital security among crew members comes down to education. When managing teams of people and systems with sensitive information, you want to empower your team. Help them get the most out of the software while keeping them safe. You also have to make sure they know the dangers that exist.
As one example, let’s look at email phishing scams.
Email phishing scams are a means to trick users into divulging sensitive information by constructing fake emails, texts, and websites that look identical to the real ones. A crew member’s quick click and entry of their usual username and password could compromise their information and others connected to their digital system.
Three billion phishing emails are sent each day. Even more concerning, 97% of people don’t know how to identify a phishing email. With those stats, it’s easy to see why security awareness training is necessary.
Let’s look at an example:
Your PM gets an unexpected email from someone posing as you. “You” notify them they received a bonus for doing such an incredible job on the last shoot, but they have to click the link to receive the payment.
Sounds unbelievable on paper, but trust us, these emails often look legitimate. They can use the same logos, colors, and even fonts that victims are used to. Just enough to click the link.
The moment they click that link, their information and possibly your information now is compromised.
In another instance, your staff member might be asked to input a username and password. If they believe it’s from you or the link that’s pushed them to a fake login screen looks legitimate enough, they might not even think twice about compromising their or the company’s information.
Here are some common subject lines to point out to crew as potential phishing scams:
Most often, the scam requires the reader to take some kind of quick action. Anything that appears suspicious or urgent is usually an indicator that something could be... well... phishy.
Put yourself in a safer position from the start. In your training, set clear expectations about what types of requests will come over e-mail versus other channels. Ask your staff to contact you to verify before clicking any suspicious e-mail or replying to any request coming through unusual channels.
Once you establish what phishing scams look like, communicate what they should expect from you. When they know more of the general protocols, they’ll be better equipped to spot something that’s wrong.
Multi-Factor Authentication (MFA) is an authentication process where a user must provide two or more forms of verification to receive access. A common example might be entering in a username and password and then typing in a security number sent to your phone.
Remember that freelancers move from company to company and risk exposing your information to a greater network. If your staff or freelancers have access to company information on their devices, require that they turn on MFA for software or applications that give them access to sensitive data.
Just using a password for authentication leaves a user open to hacking, and phishing. Both multi- and two-factor authentication (or 2FA) reduces the risks associated with compromised passwords. If a password is hacked, guessed, or even phished, only knowing the password to the account is no longer enough to give an intruder access. They’ll need the second factor as well.
As a financial service provider, we’re dedicated to protecting your data and providing an extra layer of security when accessing pages containing sensitive information. We’re also committed to doing so in a way that is as unobtrusive as possible—without slowing down your workflow.
Our available authentication methods make MFA quick and easy. You can choose from authenticator apps like Google Authenticator, keycodes sent via SMS or voice call, or—if your device supports it—biometrics like TouchID or FaceID.
Plus, if you register and log in from a trusted device, Wrapbook can reduce the number of times you need to authenticate—keeping you secure without slowing you down. Trusted devices will be prompted to re-authenticate once every 30 days.
For more in depth information, please visit our Help Center.
You can train your employees on scams all day, but your security is only as strong as your weakest link. As you work with vendors, you open up your production company to a larger network that could abuse your and your workers’ information.
With sensitive information moving from device to device, data encryption is vital for production companies to consider when choosing any vendors—from call sheet software to payroll or accounting programs or even equipment rental.
Wrapbook has to stay safe and efficient with our data encryption. This is vital for us and for you. It’s fundamentally about data privacy – guaranteeing that only those who need to see the information see it.
When inquiring about data encryption, there are two types to ask about:
We leverage at least AES 256-bit encryption at rest. And we support TLS 1.2 and above on our application. Older versions such as 1.1 and below have been phased out of our environment.
Third-party auditors are neutral organizations without conflict of interest that are brought in to measure the quality in which an organization is run. These companies bring an increased level of credibility to organizations that claim compliance.
They often provide their assessment of the organization’s credibility through Service Organization Controls (SOC) reports.
Service Organization Controls (SOC) reports qualify an organization according to a set of standards and how well they maintain them. These reports help establish confidence by testing the integrity of a company’s processes.
For an organization like Wrapbook, SOC auditing tests the integrity and strength of our IT controls, business processes, and financial processing. We engage third party auditors to take us through SOC audits to ensure we’re meeting standards. This communicates to our clients our proficiency in codes of practice, workflows, and protocols. Wrapbook has both SOC 1 and SOC 2 attestation reports.
When selecting financial vendors to help run your business, make sure they can openly discuss these security measures and have the reports to verify their credibility.
While a crew member should never accidentally (or intentionally) give out your intellectual property, the safer option is prevention—creating instances where they never have unnecessary access in the first place. When it comes to information limitation, this is where digital software solutions like Wrapbook come in.
Data encryption keeps your information secure but still available to those who need it, keeping your production running efficiently and safely.
Data encryption is a digital security method that encodes information, making data incomprehensible to all users except those with the encryption key. In the context of a production company, this ensures that information still quickly travels across digital systems for all members who should access it.
Higher-level production members can still easily access more sensitive info. But ONLY them. They’re the ones with the keys to the encryption. Wrapbook is a more advanced version of the old safe in the production office. Only the people who need it have the keys.
Only this safe can be accessed from almost everywhere.
Wrapbook’s system serves as a database of production startwork, employee tax forms, production finances, and more. Through our database design , crew members regularly interacting with our platform can only access their respective payroll and tax documents. Through Wrapbook’s access control features, production managers have the flexibility to design levels of access that work for you and your production.
Biometric authentication methods (like Face ID and Touch ID) on biometric-supported devices seal any sensitive tax, income, or other identifying information within each user’s profile.
For production members and admins handling larger picture tasks like running payroll, collecting tax documents, or assisting members in finding their information, Wrapbook’s roles and permissions allow access for those who need it. Within the Wrapbook system, production heads can be granted different levels of access. For example, certain roles can access worker documents or approve payroll requests, while higher-level account roles can closely track finances and get into the details of production tax work.
These distinct roles and clear parameters around permissions keep the chain of command of data access clear, quick, and simple. Staying on top of access controls and roles is critical. By being careful about giving access (and removing it at the end of a project), you better protect your and your business's data
When it comes to security, find a company that is comfortable discussing all of their security measures, from data encryption to third party audits, 24/7 monitoring to secure financial transactions (and too many to list here).
Reach out to us at any time to learn more about how we keep your information safe.
Vetting crew takes many forms.
Sometimes, it involves outlining non-disclosure agreements and startwork. For many producers, vetting crew looks more like hiring off referrals. Your network can be great for hiring those with an already-known reliable work ethic. However, there are risks associated with not going through proper steps in an industry running on freelancers who go from job to job, and company to company.
While most companies may not have time to run background checks on every person they hire, certain key players who will end up with access to higher-level information merit this critical step.
Hopefully, you’ve already conducted checks on your full-time employees, but what about individuals who handle the finances on a project-by-project basis? Production managers and sometimes even coordinators or other freelance producers are near your team’s most sensitive information. It’s 100% your responsibility to ensure they’ve never been indicted in a breach or in any situation where large sums of money have gone missing.
You’re not trying to dig up people’s past. It’s ultimately about minimizing your crew members, clients, and vendors’ risk as much as your own.
With greater tools comes greater accountability to keep your company, your crew, and your client’s information safe.
The good news is you don’t have to sacrifice efficiency for security. Production companies can benefit from going digital in leveraging a wide range of features to secure their business. Strong digital safety measures enable productions to operate with confidence and speed, while simultaneously minimizing the risk of any breach.
For more on how to keep your creative business secure, download our digital security ebook. To go deeper into how Wrapbook keeps your data secure, reach out to an expert before your next project.
At Wrapbook, we pride ourselves on providing outstanding free resources to producers and their crews, but this post is for informational purposes only as of the date above. The content on our website is not intended to provide and should not be relied on for legal, accounting, or tax advice. You should consult with your own legal, accounting, or tax advisors to determine how this general information may apply to your specific circumstances.