When you need to send the client the latest cut, run this week’s payroll, and get drinks with an ad agency, the last thing your production company needs is a data hack. Keeping your production company secure isn’t optional—it’s essential.
You are now responsible for so much more than on-set safety.
In this guide, we’ll define common challenges in data security, ways to combat these threats, and closely look at the role of human engagement within digital security.
To better protect your team, company, and clients, we’ll highlight the security measures we implement as a SOC 2 payroll company to better practices you can follow to be more proactive.
Let’s get into it.
Much of digital security among crew members comes down to education. When managing teams of people and systems with sensitive information, it’s your responsibility to ensure your crew members know how to use the software. You also have to make sure they know the dangers that exist.
As one example, let’s look at email phishing scams.
Email phishing scams are a means to trick users into divulging sensitive information by constructing fake emails, texts, and websites that look identical to the real ones. A crew member’s quick click and entry of their usual username and password could compromise their information and others connected to their digital system.
Three billion phishing emails are sent each day. Even more concerning, 97% of people don’t
know how to identify a phishing email. With those stats, it’s easy to see why security awareness training is necessary.
Let’s look at an example:
Your PM gets an unexpected email from “you” notifying them they received a bonus for doing such an incredible job on the last shoot, but they have to click the link to receive the payment. (Sounds unbelievable on paper, but trust us, these emails often look legitimate.)
The moment they click that link, their information and possibly your information now is compromised.
In another instance, your staff member might be asked to input a username and password. If they believe it’s from you or the link that’s pushed them to a login screen looks legitimate enough, they might not even think twice about compromising their or the company’s information.
Here are some common subject lines to point out to crew as potential phishing scams:
Most often, the scam requires the reader to take some kind of quick action. Anything that appears suspicious or urgent is usually an indicator that something could be... well... phishy.
Put yourself in a safer position from the start. In your training, establish that you will never ask staff to do something urgently in an email.
Once you establish what phishing scams look like, communicate what they should expect from you. When they know more of the general protocols, they’ll be better equipped to spot something that’s wrong.
Multi-Factor Authentication (MFA) is an authentication process where a user must provide two or more forms of verification to enter a program. A common example might be entering in a username and password and then logging in a security number sent to your phone.
Remember that freelancers move from company to company, exposing your information to a greater network. If your staff or freelancers have access to company information on their devices, require that they turn on MFA.
Just utilizing a password for authentication leaves a user open to hacking, and phishing. Both multi and two-factor authentication (or 2FA), reduces the risks associated with compromised passwords. If a password is hacked, guessed, or even phished, knowing the password to the account is no longer enough to give an intruder access: without approval at the second factor.
As a financial service provider, we’re dedicated to protecting your data and provide an extra layer of security when accessing pages containing sensitive information.
If Wrapbook is your current production payroll provider, there are certain pages that will trigger identity confirmation.
This is what you can expect:
For more in depth information, please visit our Help Center.
You can train your employees on scams all day, but your security is only as strong as your weakest link. As you work with vendors, you open up your production company to a larger network that could potentially abuse your and your workers’ information.
Your freelance employees could get onboarded 30 or more times in a single year. With sensitive information moving from device to device, data encryption is vital for production companies
to consider when choosing any software vendors—from call sheet software to payroll or accounting programs.
As a payroll company, Wrapbook’s protections must be exceptionally high to meet and exceed industry standards. Like you, we have to stay safe and efficient with our data encryption.
When inquiring about data encryption, there are two types to ask about:
We leverage at least AES 256-bit encryption at rest. And we support TLS 1.2 and above on our application. Older versions such as 1.1 and below have been phased out of our environment.
Third-party audits are neutral organizations without conflict of interest that are brought in to measure the quality in which an organization is run. These companies bring an increased level of credibility to organizations that claim compliance.
They often provide credibility through Service Organization Controls (SOC) reports.
Service Organization Controls (SOC) reports that qualify an organization according to a set of standards and how well they maintain them. These reports help establish confidence by testing the integrity of a company’s processes.
For an organization like Wrapbook, SOC auditing tests integrity and the strength of our IT controls, business processes, and financial processing. We often hire third parties to take us through SOC audits to ensure we’re meeting standards. This communicates to our clients our proficiency in codes of practice, workflows, and protocols. Wrapbook has both SOC 1 and SOC 2 attestation reports.
When selecting financial vendors to help run your business, make sure they can openly discuss these security measures and have the reports and organizations to verify their credibility.
While a crew member should never accidentally (or intentionally) disseminate your intellectual property, the safer option is prevention—creating instances where they never have unnecessary access in the first place. When it comes to information limitation, this is where digital software solutions like Wrapbook come in.
Data encryption keeps your information secure but it’s still available to those who need it, keeping your production running quickly and safely.
Data encryption is a digital security method that encodes information, making data incomprehensible to all users except those with the encryption key. In the context of a production company, this ensures that information still quickly travels across digital systems for all members. But, more sensitive info can only be accessed by higher-level production members.
Wrapbook’s program serves as a database of production startwork, employee tax forms, and production finances. Through data encryption, crew members regularly interacting with our software can only access their respective payroll and tax documents.
Biometric authentication methods (like Face ID and Touch ID) seal any sensitive tax, income, or other identifying information within each user’s profile.
For production members and admin handling larger picture tasks like running payroll, collecting tax documents, or assisting members in finding their information, Wrapbook’s roles and permissions allow access for those who need it. Within Wrapbook’s system, production heads have different levels of access. Admin roles can access worker documents or approve payroll requests, and higher-level account roles can closely monitor finances and get into the details of production tax work.
These distinct roles and clear parameters around permissions keep the chain of command of data access clear, quick, and simple.
When it comes to security, find a company that is comfortable discussing all of their security measures, from data encryption to third party audits, 24/7 monitoring to secure financial transactions (and too many to list here).
Reach out to us at any time to learn more about how we keep your information safe.
Vetting crew takes many forms.
Sometimes, it involves outlining non-disclosure agreements and startwork. For many producers, vetting crew looks more like hiring off of referrals. Your network can be great for hiring those with an already-known reliable work ethic. However, there are risks associated with not going through proper steps in an industry running on freelancers who go from job to job, and company to company.
While most companies may not have time to run background checks on every person they hire, certain key players who will end up with access to higher-level information merit this critical step.
Hopefully, you’ve already conducted checks on your full-time employees, but what about individuals who handle the finances on a project-by-project basis? Production managers and sometimes even coordinators or other freelance producers are near your team’s most sensitive information. It’s 100% your responsibility to ensure they’ve never been indicted in a breach or in any situation where large sums of money have gone missing.
You’re not trying to dig up people’s past. It’s ultimately about minimizing your crew members, clients, and vendors’ risk as much as your own.
With greater tools comes greater accountability to keep your company, your crew, and your client’s information safe.
The good news is you don’t have to sacrifice efficiency for security. Production companies can benefit from going digital in leveraging a wide range of features to secure their business. Strong digital safety measures enable productions to operate with confidence and speed, while simultaneously minimizing the risk of any breach.
At Wrapbook, we pride ourselves on providing outstanding free resources to producers and their crews, but this post is for informational purposes only as of the date above. The content on our website is not intended to provide and should not be relied on for legal, accounting, or tax advice. You should consult with your own legal, accounting, or tax advisors to determine how this general information may apply to your specific circumstances.