A few weeks ago, I visited one of India’s well-known VFX studios to discuss Cybersecurity threats. It is an organisation with more than 120 artists and technicians, delivering high-end content to clients across the US, Canada, and major OTT platforms in India. Their CEO had invited me for a discussion on strengthening their security posture, especially as international clients were raising concerns about data protection and NDA compliance.
During our conversation, he confidently said:
“We’ve upgraded our firewall, installed the latest antivirus, and our network is well protected.”
On the surface, everything looked perfect.
But cybersecurity rarely fails on the surface. As we walked through the studio, what I found told a very different story.
What I Discovered Inside the Studio
Despite strong perimeter controls, internal practices were exposing them to major risks:
-
The Wi-Fi password was written clearly on a whiteboard near the entrance of the VFX department.
-
Multiple users were sharing the same workstation login, making user tracking impossible
-
Some employees were using personal USB drives to transfer clips “quickly”
-
Interns had access to folders containing client content they were not assigned to
-
Active Directory accounts for former employees were still enabled and accessible
-
Old email accounts were still accessible on the FTP server, containing client assets
-
Several workstations and render nodes were months behind on patch updates
The CEO, walking beside me, gradually became silent.
He finally turned to me and said:
“We always assumed the biggest threat was external hackers.
We didn’t realise our own internal gaps were far more dangerous.”
This is a pattern I’ve seen repeatedly—especially in creative and VFX studios.
Proofpoint’s 2024 Voice of the CISO report found that three in four Chief Information Security Officers (CISOs) said human error was their top cybersecurity risk.
Internal Threats: The Silent, Overlooked Risk
Most internal threats are not intentional; they are the result of:
Human Error
-
Clicking phishing emails posing as client messages
-
Weak passwords
-
Downloading unsafe attachments
-
Sharing login credentials
Weak Processes & Oversight
-
Unpatched systems
-
No endpoint protection
-
Shared access to confidential assets
-
Ex-employees still have access
-
USB devices are moving freely between machines
-
No logging of file movement
Time Pressure and Work Culture
“Quick delivery” often takes priority over “secure delivery.”
These issues create the perfect entry point for attackers.
External Threats Remain Real — But They Succeed Through Internal Gaps
External risks include:
-
Ransomware
-
Phishing
-
Business Email Compromise
-
Fake client invoice scams
-
OTT impersonation emails
-
Credential theft
-
Attacks through exposed VPN/RDP ports
But the truth is simple:
External attackers rarely break through strong firewalls.
They enter through weak internal habits.
The breach at this studio didn’t come from the outside.
It came from a phishing email opened by an employee who thought it was from a US client.
The VFX Industry Has Higher Stakes
VFX and post-production studios handle:
-
Unreleased OTT content
-
Trailers and episodic sequences
-
International client data
-
High-value IP under NDA
-
Confidential production timelines
Even a small leak can cause:
-
Contract termination
-
Legal action
-
Severe reputational damage
-
Loss of international clients
-
Delivery delays running into lakhs
This studio had world-class tools…But their internal controls were creating the real vulnerability.
What Steps Should a Company Take? (Practical & Effective)
Here is what I recommended during that meeting with the CEO:
Strengthen Internal Controls (Top Priority)
Identity & Access Management
-
Disable AD and email access immediately after exit
-
No shared logins—assign individual accounts
-
Enforce “need-to-know” access for project folders
-
Conduct quarterly access reviews
Endpoint & Device Security
-
Patch workstations and render nodes monthly
-
Install endpoint security on every system
-
Disable USB ports or allow only approved devices
-
Remove old FTP services and adopt secure transfer systems
Password & Authentication
-
Enforce strong password policies
-
Activate MFA for email, VPN, and cloud platforms
-
Change all default credentials on routers and NAS devices
Content Protection
-
Control access to client assets
-
Prevent personal storage devices
-
Use secure file-sharing platforms
-
Maintain asset access logs
Awareness & Behaviour
-
Quarterly cybersecurity training
-
Mandatory onboarding security session
-
Phishing simulations
Improve External Defense Layers
-
Email filtering with anti-phishing
-
Secure VPN with MFA
-
Regular vulnerability scans
-
Backup and recovery testing
-
Firewall rule review quarterly
Implement a Basic ISO-Aligned Incident Response Process
-
Clear reporting workflow
-
Escalation process
-
Containment steps
-
Recovery guidelines
-
Post-incident review and documentation
Insight From That Visit
When we returned to the CEO’s office, he summarised it perfectly:
“We invested heavily to block external threats…
but our internal practices were the real threat.”
Cybersecurity isn’t just about defending the perimeter.
It’s about building internal discipline, awareness, and accountability across the company.
The most important question for any company handling global content is:
“Are our internal controls strong enough to prevent external attacks from succeeding?”
Strengthening internal security protects not just systems, but also client trust, brand reputation, and the creative work your teams bring to life.
