Sony, Sony, Sony. Do you even realize what has just happened to you? Can you even comprehend the ripple effect this event will have not just on your industry, but everywhere?
So to begin with, let’s not dig into what happened or who did it. Primarily because there is still an open investigation happening and unlike others, I refuse to speculate. Who did it is not really important from my perspective.
Do I believe it was North Korea? No! Do I care who it was? No. I AM interested in how it happened and you should be too. Not because we are nosey, but to ensure it wasn’t something that our organizations could be vulnerable to. If you happen to be in the research or Intel fields, then who did it may matter to you so you can identify them, track their other activities, and correlate this hack. I get it.
So rather than focus on things that we don’t know like many sources, let’s focus on things that we do know. At its most basic we know a couple of things. Sony had not done what they should to protect their critical data. They did not put the level of importance into Information Security and Cyber Security (those are different things) that needed to be there to mitigate the threats they faced.
They obviously had a lack of controls externally and internally that not only allowed the attack to take place, but did not identify data being exfiltrated out of the network. Even if the hackers did have someone internally helping them, that person was only taking advantage of gaps in Sony’s security controls. I truly understand that there is no silver bullet and no way to catch everything, but come on. Some of the things that happened I am sure had BIG RED flags had some simple controls been in place.
This being the case, few things are different about this hack than other hacks. Someone took advantage of Sony’s weaknesses. Sony did not do enough to mitigate risk. Sony did not have appropriate controls to identify threats. And Sony did not have the proper processes in place to respond to incidents when they took place.
If you look at every hack that has taken place over the last few years, the company that was impacted failed in one or more of those areas. This isn’t the end of the world. Most of us expect to be hacked at some point in the future though we all hope its either not on our watch or happens a long long long time from now. Either way, we are all in some way preparing to be or not to be the next hack of the day.
The threats associated with the hack that were directed to theaters are a little different. Primarily because very few if any hacks that I am aware of to this point crossed the line into physical security issues associated with public safety. Once this line was crossed they quickly became public enemy number one.
Funny thing is that at the same time, this hacker group has made this movie more popular than ever. I wanted to see it when I first saw the trailer, but now I REALLY want to see it and so do many other people that were never interested in the movie initially.
Now, with the extent of the extortion and complete embarrassment of Sony Executives, that’s where the similarities end. This is going to drive different conversations.
I do not recall any other time where an executive was exposed due to a data breach except maybe HBGary which was VERY different. There have been many called to the carpet over lack of action. Called to Congress for lack of response to an incident. But rarely ones truly embarrassed publicly due to the release of private documents.
To this point, many of us have speculated that the cost associated with a breach would drive decisions to be made at an entirely different level. In this case, pure embarrassment is going to drive these conversations.
We all know that there are email and other documents flying around some organizations that some executives would never want to see the light of day. In Sony’s case, not only did they see the light and go into it, they ended up on every website, blog, and other media outlet in a very unflattering way.
This is the scariest part to many current executives. That flirtatious email, that derogatory email, that email where they actually said security was not important…lol. I am sure they exist and if they were exposed would not be flattering to the executives that sent them.
This will impact other company executives in a way we have yet to see from the current list of breaches. Though they say the organizations’ bottom line and company brands are important, the lack of action for so many years shows that this is not as important as they “say” it is. However, sheer embarrassment and fear of public revelations of private communications would be even more impactful.
So when you look at this Sony hack, and you review the fallout from it — the sheer failure of their security program, if you can call it that — think beyond the traditional things that come to mind.
Think beyond their lack of security controls. Think beyond Sony’s inability to respond to the attack. Think beyond how it will impact Sony’s bottom line. Spend some time thinking about how public embarrassment has become their primary hurdle that they are trying to cross.
What would that mean for your company? What would that mean for your organization? What would that mean for you?