This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
This Website Uses Cookies
By closing this message or continuing to use our site, you agree to our cookie policy. Learn More
This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
Subscribe
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • Home
  • News
    • Security Newswire
    • Technologies
    • Security Blog
    • Newsletter
    • Web Exclusives
  • Columns
    • Career Intelligence
    • Security Talk
    • The Corner Office
    • Leadership & Management
    • Cyber Tactics
    • Overseas and Secure
  • Management
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • More
  • Physical
    • Access Management
    • Video Surveillance
    • Identity Management
    • More
  • Cyber
  • Sectors
    • Education: University
    • Hospitals & Medical Centers
    • Critical Infrastructure
    • More
  • Exclusives
    • Security 500 Report
    • Most Influential People in Security
    • Top Guard and Security Officer Companies
    • The Security Leadership Issue
    • Annual Innovations, Technology, & Services Report
  • Events
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
    • Security 500 West
  • Resources
    • The Magazine
      • This Month's Issue
      • Digital Edition
      • Archives
      • Professional Security Canada
    • Videos
      • ISC West 2018
      • ASIS 2017
    • Photo Galleries
    • Polls
    • Classifieds & Job Listings
    • White Papers
    • Mobile App
    • Store
    • Sponsor Insights
  • InfoCenters
    • Video Management Systems
  • Contact
    • Editorial Guidelines
  • Advertise
Home » 8 Lessons to Learn from the Sony Breach
Cyber Security News

8 Lessons to Learn from the Sony Breach

cyber_900
September 15, 2015
Tom DeSot
KEYWORDS cyber attacks / employee training
Reprints
One Comment

Last year, Sony Pictures Entertainment suffered one of the largest and most public cybersecurity breaches in history. Seemingly overnight, it went from a well-respected entertainment company to the target of media-driven backlash from embarrassing leaked emails and documents, not to mention an apparent lack of preparedness to protect employee and customer data. While no security solution can guarantee you won’t be breached, we can learn from Sony’s mistakes and take steps to minimize risk.

Everyone is a Target

In Sony’s case, past hacks should have been a clear indicator they were at risk. Despite fallout from past breaches, the company did not take proper steps to protect itself. While you may think Sony was targeted because of its size or prestige, the reality is that organizations of all sizes have valuable information that someone out there wants. Don’t ignore the warning signs. Realize you’re a target and take action to protect yourself.

Put Qualified and Proactive People in Information Security Roles

A recent article on the Sony breach included a third-party account detailing the lack of basic security precautions at Sony headquarters. Guests were left to wander without an escort, and administrative computers were logged in and left unattended. This lack of basic protocol suggests they either didn’t know better or their leaders weren’t enforcing the rules. These may seem like minor concerns, but it’s actually a welcome mat for hackers. It’s imperative that companies employ experts who know what security precautions to take and are committed to seeing them through.

Don’t Make a Hacker’s Job Easy

It has been reported that Sony’s network lacked some of the basic protections, such as two-factor authentication or encrypted data, which could have minimized the amount of data hackers took. Once hackers breached Sony’s initial defenses, they had carte blanche to find and retrieve data they wanted. Consider putting secondary protections into place at your company to make it harder for hackers to get information once they’re in the network.

Prioritize Employee Training

With security technology, policies and protocols, and employee behaviors all lacking at Sony, it’s evident that cybersecurity training was not a priority. We don’t know if employee actions led to the breach, but Sony’s security practices suggest they were unprepared to deal with common social engineering tactics. Basic password missteps or human kindness – an eagerness to please – can lead to breaches. That’s why it’s imperative that employees know the risks and how to deal with them.  

Put a Vulnerability Management Solution in Place

When hackers breached Sony’s systems, the massive file transfers did not set off alerts. While they may have had the right tools in place, it’s possible their team wasn’t properly managing them.  It’s important to not only have the right tools, but also to actively monitor and manage your vulnerabilities.

Don’t Let Information Security Operate in a Silo

In Sony’s case, making a controversial movie about killing the living dictator of a nation known for cyberattacks should have triggered recognition of the need for increased protections. If your information security department isn’t actively communicating with other departments, your company likely is facing risks you’re unaware of, and therefore can’t mitigate.

Get Executives on Your Side

Before the breach, Sony’s then-executive director of information security (current SVP of information security) made a now infamous cybersecurity quote: “I will not invest $10 million to avoid a possible $1 million loss.”  While he isn’t technically wrong, what’s missing from this equation is perspective on what security options might be cost-effective for your business. Also, evaluating the “total cost” of security breaches must include consideration of the significant and long-term reputational damage. Security needs should be prioritized based on your total strategic risk. The right mix of solutions, at the right price, can be found. Presenting them to executives with proper context can be the key to ensuring you win approvals to put the most effective protections in place.

Learn from Past Mistakes

It took one of the worst hacks in history before Sony took steps to increase its security. They’ve now made significant changes and investments, but it came at both tangible and reputational costs. Don’t wait until you’ve been breached to do something about it.

In today’s world, information is business.  When it comes to cybersecurity, all companies – big or small – should be proactive in their efforts to manage risks. Everyone is a target, and it should be every organization’s priority to protect the information of their employees, customers and partners.

Subscribe to Security Magazine

Tom-desot
Tom DeSot, IAM, is the Executive Vice President and Chief Information Officer for Digital Defense. In this role, he is charged with developing and maintaining relationships with key industry and market regulators, functioning as the “face of DDI” through public speaking initiatives, and serving as the prime regulatory compliance resource for external and internal contacts. He also serves as the company’s internal auditor on security-related matters. DeSot holds the National Security Agency’s INFOSEC Assessment Methodology Certification and is formally trained in the OCTAVE Risk Assessment Methodology.

Related Articles

5 Cybersecurity Lessons Learned from the Super Bowl

Lessons Learned from Security at the 2014 World Cup

Top Lessons Learned from the Security 500 Conference

Three Lessons to Learn from Aviation Checkpoints

Related Products

The Complete Guide to Physical Security

Optimizing Social Media from a B2B Perspective

The Database Hacker's Handbook: Defending Database Servers

The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws 2E

Related Events

Active Shooter Mitigation and Response – Lessons Learned

From Here to There - Advancing in the Security Field

All Hands on Deck! School Security Technology and its Convergence with the Learning Environment

The Better Mouse Trap: Continuous Learning through Incident Analysis

You must login or register in order to post a comment.

Report Abusive Comment

Subscribe For Free!
  • Print & Digital Edition Subscriptions
  • Security eNewsletter & Other eNews Alerts
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Popular Stories

security-center

The Top 5 Reasons Why Your Security Program Needs Intelligence Personnel

Globe

Which Countries Have the Worst and Best Cybersecurity?

SEC0219-cover-Feat-slide_900px

The Road to CSO: Meet Microsoft's New Security Leader

password1-900px.jpg

New Vulnerabilities Found in Top Password Managers

password1-900px.jpg

How Americans Leave their Personal Info Open to Thieves

20180226SEC_DataminrFeb_360x184customcontent

Events

February 26, 2019

Harness Real-time Public Information to Improve Active Shooter Response

Corporate security teams hope never to respond to an active shooter situation. But given today’s realities, companies spend a great deal of time developing guidelines, holding training sessions, and carrying out drills to ensure that their staff will be prepared in case an active shooter event occurs.
March 7, 2019

Finding Your Physical Security Blind Spots with Artificial Intelligence (A.I.)

Security infrastructures are undergoing a digital transformation with growing adoption of intelligent access control, video surveillance and analytics as well as IoT devices and sensors – generating more data to than ever before. Harnessed properly with artificial intelligence and a risk-based model, this data can be exposed and leveraged to improve life safety, minimize risk and increase operational efficiency.
View All Submit An Event

Poll

Employee Background Screening

How Often Does Your Organization Conduct Background Screening on Employees?
View Results Poll Archive

Products

Effective Security Management, 6th Edition

Effective Security Management, 6th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

See More Products
Security-500

Security Magazine

SEC-Feb-2019-Cover_144px

2019 February

In Security’s February 2019 issue, meet Brian Tuskan, Microsoft's New Security Leader. Learn how he has used technology, his reputation, networking and a desire to help people to become Microsoft’s new CSO. Read about the Next Generation of White Hat Hackers, How to Evaluate Security's Role, and more.

View More Subscribe
  • More
    • Market Research
    • Custom Content & Marketing Services
    • Security Group
    • Editorial Guidelines
    • Privacy Policy
    • Survey And Sample
  • Want More
    • Subscribe
    • Connect
    • Partners

Copyright ©2019. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing