It’s been said often, and more so recently, that it’s a question of “when” not “if” a data breach will beset your company.
Therefore, it could be argued that “information security is only as effective as the response it generates – A structured response ensures that an incident is recognised early and dealt with in the most appropriate manner and minimises damages to your organisation in terms of reputation –
If you work for a security vendor, please use Sony as an excuse to talk to your marketing and PR about how NOT to approach press & customers
— Martin McKeay (@mckeay) December 19, 2014
– costs of dealing with the incident, regulatory concerns such as Data Protection, and the ability to prosecute those behind the incident.”
Of course some organisations are better prepared than others in the aftermath of a breach or significant hack and that, unfortunately some may argue, plays out under the eyes of not only the information security community but, increasingly, mainstream media too.
That increased exposure to scrutiny can have a devastating effect upon a company if it is perceived to have not taken adequate security measures, such as in the case of Sony who, it is alleged, “failed to secure its computer systems despite earlier hacking threats and warnings that its computer system was vulnerable to infiltration.” As a result, the company is now being sued by ex-employees.
Commenting on this development, Philip Lieberman, CEO and President of Lieberman Software Corporation, said:
“This attack represents a worst case scenario where every machine and asset owned by Sony that was connected to their network was compromised and made available to a hostile outside group. Effectively Sony lost the ownership of their company to an outside group due to poor security and this outside organization decided to terrorize their employees and damage their assets as well as humiliate them in private and in public as a demonstration of their power.
The situation of public humiliation is unprecedented, but the total loss of control of an organization is common in both the USA and around the world. The common cause of the problem is a lack of understanding by CEOs as to their role in cyber defense and their delegation to others in the organization of this responsibility, but without the power to operate effectively.
This scenario will play out again and in even worse forms.
The lawsuits against Sony for lack of reasonable care for security of its employee personal information has significant legs to it. Sony was capable of protecting the sensitive data in question (or at least minimizing the amount of data lost), but purposely chose not to do so for cultural and financial reasons. It will be very difficult for them to defend themselves against these lawsuits since their competitors were well able to sustain themselves against the same attacks (coincidently using our technology).
Kevin Mandia’s quote (for Sony, it looks like a ‘get out of jail free card’) that the attack and its consequences were unprecedented and could not be defended against ring hollow, were self-serving and factually incorrect – they were foreseen (they are part of a well-worn pattern), are regularly rebuffed, and the consequences could have been minor. If anything, the need for expensive mitigation by Mandiant would not have been needed had Sony used appropriate technology to secure administrative credentials. Should Sony not deploy a robust privilege identity management system, they will be a repeat customer of Mandiant or another remediation company.
These lawsuits are the beginning of a groundswell of litigation that will pit corporate CEOs against the public where they will have to defend their behaviour of reduction of IT costs vs. taking reasonable care in the handling of their security. This is also a failure of the US Government to provide clear guidance to private enterprise as to what is “reasonable care” in IT security.
Up until now, many CEOs felt comfortable with a friendly IT audit report in their pocket combined with third party cyber-warfare insurance, while keeping up the constant drumbeat of ever greater reductions in IT operation costs. If there is no clear guidance on ‘what is enough’, apparently ‘nothing much’ has been the IT security strategy of many companies.
Sony’s board of directors will uncover the incompetence of the IT audit firm used by the company that completely failed to surface these issues prior to the attack. No doubt that Sony will add their audit firm to the lawsuits and most likely their auditing firm will end up paying the price of these lawsuits and others yet to come based on gross negligence on their part.”
Scathing indeed, but does he not have a point?
What could Sony have done better?
Could the hack have been prevented (my opinion: not necessarily, but the response could have been better)?
Has a case been made for taking information security more seriously and moving it away from being a mere tickbox exercise (probably, but will other organisations learn from it)?