8 Lessons to Learn from the Sony Breach

September 15, 2015

Last year, Sony Pictures Entertainment suffered one of the largest and most public cybersecurity breaches in history. Seemingly overnight, it went from a well-respected entertainment company to the target of media-driven backlash from embarrassing leaked emails and documents, not to mention an apparent lack of preparedness to protect employee and customer data. While no security solution can guarantee you won’t be breached, we can learn from Sony’s mistakes and take steps to minimize risk.

Everyone is a Target

In Sony’s case, past hacks should have been a clear indicator they were at risk. Despite fallout from past breaches, the company did not take proper steps to protect itself. While you may think Sony was targeted because of its size or prestige, the reality is that organizations of all sizes have valuable information that someone out there wants. Don’t ignore the warning signs. Realize you’re a target and take action to protect yourself.

Put Qualified and Proactive People in Information Security Roles

A recent article on the Sony breach included a third-party account detailing the lack of basic security precautions at Sony headquarters. Guests were left to wander without an escort, and administrative computers were logged in and left unattended. This lack of basic protocol suggests they either didn’t know better or their leaders weren’t enforcing the rules. These may seem like minor concerns, but it’s actually a welcome mat for hackers. It’s imperative that companies employ experts who know what security precautions to take and are committed to seeing them through.

Don’t Make a Hacker’s Job Easy

It has been reported that Sony’s network lacked some of the basic protections, such as two-factor authentication or encrypted data, which could have minimized the amount of data hackers took. Once hackers breached Sony’s initial defenses, they had carte blanche to find and retrieve data they wanted. Consider putting secondary protections into place at your company to make it harder for hackers to get information once they’re in the network.

Prioritize Employee Training

With security technology, policies and protocols, and employee behaviors all lacking at Sony, it’s evident that cybersecurity training was not a priority. We don’t know if employee actions led to the breach, but Sony’s security practices suggest they were unprepared to deal with common social engineering tactics. Basic password missteps or human kindness – an eagerness to please – can lead to breaches. That’s why it’s imperative that employees know the risks and how to deal with them.

Put a Vulnerability Management Solution in Place

When hackers breached Sony’s systems, the massive file transfers did not set off alerts. While they may have had the right tools in place, it’s possible their team wasn’t properly managing them. It’s important to not only have the right tools, but also to actively monitor and manage your vulnerabilities.

Don’t Let Information Security Operate in a Silo

In Sony’s case, making a controversial movie about killing the living dictator of a nation known for cyberattacks should have triggered recognition of the need for increased protections. If your information security department isn’t actively communicating with other departments, your company likely is facing risks you’re unaware of, and therefore can’t mitigate.

Get Executives on Your Side

Before the breach, Sony’s then-executive director of information security (current SVP of information security) made a now infamous cybersecurity quote: “I will not invest $10 million to avoid a possible $1 million loss.” While he isn’t technically wrong, what’s missing from this equation is perspective on what security options might be cost-effective for your business. Also, evaluating the “total cost” of security breaches must include consideration of the significant and long-term reputational damage. Security needs should be prioritized based on your total strategic risk. The right mix of solutions, at the right price, can be found. Presenting them to executives with proper context can be the key to ensuring you win approvals to put the most effective protections in place.

Learn from Past Mistakes

It took one of the worst hacks in history before Sony took steps to increase its security. They’ve now made significant changes and investments, but it came at both tangible and reputational costs. Don’t wait until you’ve been breached to do something about it.

In today’s world, information is business. When it comes to cybersecurity, all companies – big or small – should be proactive in their efforts to manage risks. Everyone is a target, and it should be every organization’s priority to protect the information of their employees, customers and partners.

Tom DeSot, IAM, is the Executive Vice President and Chief Information Officer for Digital Defense. In this role, he is charged with developing and maintaining relationships with key industry and market regulators, functioning as the “face of DDI” through public speaking initiatives, and serving as the prime regulatory compliance resource for external and internal contacts. He also serves as the company’s internal auditor on security-related matters. DeSot holds the National Security Agency’s INFOSEC Assessment Methodology Certification and is formally trained in the OCTAVE Risk Assessment Methodology.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.