ON THE hacking scale, the attack on Sony Pictures’ computer systems is pretty much the worst-case scenario for any business.
The amount of data breached is shocking: scripts were leaked and as-yet unreleased movies were also stolen and loaded up to pirate movie download sites.
Social Security numbers and details for a trove of big stars, including superstars like Sylvester Stallone, were also published online, in addition to Social Security numbers of 47,000 current and former Sony Pictures employees.
Furthermore, many employees’ computers were compromised, with all of the data stolen before the malicious software the hackers installed wiped entire hard drives clean.
The financial damage could easily reach into the hundreds of millions of dollars. And while it’s surmised that the North Korean government was behind the hack, the attack illustrates what could become the future of corporate warfare.
Imagine companies hiring overseas gangs to infiltrate a competitor’s data bases.
Sound far-fetched? You shouldn’t bet on it. The Sony hack has set a new bar for cyber espionage and sabotage.
Anyone who runs a business – whether it’s a mom-and-pop shop or a multinational behemoth like Sony – needs to pay close attention to what happened, and begin to take data security seriously.
Though even the FBI has said that few companies – as little as 10% – could have prevented an attack like the one that targeted Sony, much of the damage could perhaps have been avoided had the company had better data-security protocols in place.
Claiming helplessness in the face of a big hack is not a good strategy. A breach is often an enterprise-level problem.
Sony’s teachable moment is that security has to start at the top and must be part of a company’s corporate culture.
Any time a hack is perpetrated, company leaders can wind up in the spotlight, whether their personal e-mails were leaked or not. Management must learn to demonstrate a level of sophistication, nuance, sensitivity and respect when communicating internally.
Also, the Sony hack shows that many managers are too flippant in their e-mail exchanges, which can often including harsh criticisms of others. It could even be argued that the lack of respect exhibited in e-mails shows up elsewhere in companies – such as a lackadaisical attitude towards data security that puts personally identifiable information of employees at risk.
To be sure, few companies put under the microscope like Sony would come out looking clean. Is it unreasonable to ask for spotless behavior throughout your organization? Of course it is. Given the reality, however, it’s wise to assume you’ll eventually be hacked. So be good… or at the very least consider picking up the phone if you have something to say that you wouldn’t want to be broadcast on the evening news.
Take care of your assets
In the case of Sony, films were stolen, as were a lot of other assets, including scripts, budgets and even contract negotiations. How can this be prevented?
The first step for companies is to truly take ownership of their assets. Ownership is a state of mind that requires upkeep and vigilance to protect what’s yours. Ownership creates security. Ultimately, this starts with corporate leadership, since fostering a sense of ownership among employees is a trickle-down process.
Maintain a strong culture
A strong corporate culture is constantly evolving. It stays ahead of the curve through clear leadership and a culture where employees feel invested in their work, i.e., they take ownership of the tasks assigned to them. A state of readiness through a culture that puts security first is the only way an attack can be properly contained and managed.
The reality is that any company – whether it’s the size of Sony Pictures or a local online retailer – can be put out of commission in such a spectacular and specific way.
Back up your data – The backup should include the operating system, application software, and data on a machine. Multiple backups should exist in different locations.
Network monitoring – The annual “Verizion Data Breach Investigations Report” consistently points out the need for organizations to monitor security systems. It recommends the use of software that can identify suspicious patterns that could signal an attack in progress.
Antivirus not good enough – The group behind the Sony attack reportedly used destructive malware, wiping the hard drive and the boot loader, making systems virtually unrecoverable. A new class of advanced threat detection and breach detection solutions is available and can inspect both network traffic and endpoint systems for subtle signs of an infection.
Password management – Employees should be trained to use strong passwords. Passwords for different accounts should be different. When possible, single sign-on should be implemented to avoid password fatigue. IT policies should dictate how often employees change passwords and enforce stronger password creation.