News is not joyous for Sony this holiday season. Every day there is a new development, more leaked information, and now outright threats from the “Guardians of Peace” attackers who have taken over Sony’s network and systems.
The dramatic developments have been fascinating but, if it doesn’t frighten you, consider being a Sony employee and seeing this pop up on your computer screen. (Click here to read more about threats made to Sony employees and their families.)
The messages and threats from the group responsible for this attack are weird. And scary. The hackers took things to a new level and the media is reporting today that the premier of the movie “The Interview” set for Friday night in New York City has been cancelled following yesterday’s threats of outright 9/11-style violence at theaters showing the movie. That’s unnerving.
Whether you’re considering seeing the movie or not and whether you let yourself be deterred by the outrageous threats from these cybercriminals or not are personal choices. But the issues and concerns raised by this unprecedented attack extend to your business as well.
Not Regulated Does Not Mean Not at Risk
Sony is not in an industry you would consider heavily regulated. They have not been required to prove compliance or take mandated security measures. But, clearly, the company has come up against some very big, somewhat unique risks. Your business may not potentially have foreign governments and/or aggressive cyberterrorists targeting your data. But your industry, whether regulated or not, may have unique risks that seem relatively minor – until some nefarious hacker decides to exploit those risks for profit, for your corporate destruction, or simply for fun.
Sony could potentially see massive revenue lost on this movie. In the long run, with all this attention, the movie may be a big money maker. But, cancelling the premier, halting interviews and promotion, and large theater chains deciding not to show “The Interview” will be a big financial hit, at least, during this holiday season.
As we face a new year and we continue to see new, creative and sophisticated attacks, consider the risks that your company could face that may not be hot topics, common threats, or specifically regulated by a government agency. You may face risks specific to your industry or to your own company’s infrastructure, culture, or history. Don’t assume hackers will not think outside the box and find the means or opportunity to exploit something unique to your business.
“It Can’t Happen to Us”
Reports have surfaced (and resurfaced) indicating that Sony may not have taken a very serious view of IT security. These comments from a Sony IT executive interviewed by CIO in 2007 are chilling to read now:
“It’s a valid business decision to accept the risk” said Jason Spaltro, who is now Sony Pictures’ senior vice president of information security… “I will not invest $10 million to avoid a possible $1 million loss.”
Ten million seems like a small price to pay now to have possibly avoided this mess. But that’s a tough call to make and every executive faces the same question. Is the risk greater than the expense to try to avoid it? The answer will be different for every industry and every company. But that answer for your company may be different today than it was last year. Threats are evolving and the stakes are increasing for a potential data breach that could cost your company lost productivity, lost revenue, remediation costs, fines, penalties, and even legal costs. Has your company really considered the cost of necessary IT security improvements versus the actual costs that could be incurred by a potential security incident?
We’re All in this Together
We share an IT security tip every month that is designed to help you easily share security best practices with employees, effectively train them in bite size bits of information rather than long boring sessions, and keep a dialogue going within your company focused on IT security.
Now may be a good time, as part of that ongoing dialogue, to point out to employees that you really are in this together.
You would not have thought of Sony as a company maintaining significant medical information or personal information. But all of those employees who have now had extensive personal information exposed are realizing now just how vulnerable they were. Making security a priority is not just to protect the company but, as we often tell our clients and those who read our articles, it is a matter of the personal safety of everyone within the company as well.
Our December security tip reminds employees that they are VIPs – their information and access within your company could make them very tempting and important targets for cybercrime. We still do not know how Sony’s systems were breached. But there is speculation and it seems somewhat likely that an employee or employees’ lax security practices and/or naiveté could have been exploited to gain access and information.
Personal Information is Personal Information (Wherever You Find It)
Sony has sternly warned several news outlets that the “possession, review, copying, dissemination, publication, uploading, downloading, or making any use” of data leaked in this hack would be inappropriate and potentially illegal. News organizations do not seem to be hesitating to report the more juicy information leaked on celebrities. But even these high profile public figures are entitled to the privacy of their information. With volumes of information on regular Sony employees also now in the hands of the “Guardians of Peace” and the threat of a “Christmas gift” major release of this data, there are tens of thousands of private citizens who have also been put at risk.
The causes and consequences of this epic attack will be studied and discussed for months if not years to come. The unique and bizarre nature of the attack, the information leaked, and the outlandish threats of the attackers make this a fascinating case. But, even with the limited understanding we have now of how and why this is happening to Sony, we can take away important lessons that any company in virtually any industry should consider for their own future security and survival.