The world was enthralled by the Sony hack’s quick escalation from leaked emails to a full-blown international diplomatic incident. As the dust settles, and CEO Amy Pascal adjusts to her dismissal, it’s time for companies to take stock and consider what lessons can be learned from the incident. Here are three key takeaways from the cyber attack.
Data Extrusion Must be Recognized ASAP
From a cybersecurity standpoint, the most astounding thing about the attack isn’t the intrusion itself, it’s the fact that thousands of gigabytes of data were transferred out of Sony’s network without anyone noticing. This points to a critical lapse in the oversight of information security, and indicates some deep flaws in Sony’s risk assessment culture—flaws that are undoubtedly shared by other organizations.
At its heart, this cyber attack was not particularly sophisticated. It began with the type of email phishing that security experts have long warned about, and it used weak tools that were allowed to roam unopposed throughout Sony's network. Investigators were able to pinpoint the simplistic nature of the attack almost immediately, which begs the question: If the attack left such an obvious footprint behind, why wasn’t it noticed while it was happening?
Recognizing Vulnerability and the Myth of Total Protection
Sony clearly underestimated its vulnerability to a serious network intrusion, but the same is undoubtedly true of most companies. When it comes down to it, nearly every organization is behind the times where cybersecurity is concerned, for the simple fact that the landscape has changed so dramatically in such a short period of time.
While the details of the risk may change from year to year, there are foundational stances a company can adopt to keep its guard up. Chief among these is the willingness to say, “We are all vulnerable, and nobody is completely protected.”
While the internet is crucial to businesses, it also presents a security concern, and it seems that Sony lost sight of this fact.
Evaluating Risk Tolerance
While Sony executives may have loved the internet’s ability to keep them constantly connected, they probably spent very little time wondering what would happen if all of those emails were released into the world with troves of other data. When that particular security blanket revealed itself to be a fantasy, it did so spectacularly.
Sony’s level of risk was pretty high, especially given its information security setup. Its leaders may have thought they took network security seriously and tolerated little risk, but the company's infrastructure said otherwise. Sony's Computer Entertainment division had learned a hard lesson during the 2011 PlayStation hack, but Sony Pictures had not. Its network, security culture, and procedures received none of the reforms adopted by the Computer division.
Instead, Sony Pictures relied completely on a single technology infrastructure—an outdated approach to modern security threats. When that single layer of protection was compromised, there was nothing left to protect the network.
A culture that anticipates risk and seriously considers its consequences must be built company-wide, from the top to the bottom and back again. This is a crucial component in taking responsibility for the company’s duty to itself, its customers, and its business partners.
Facing the Cybersecurity Future
At the end of the day, this cyber attack presents an opportunity for every business to reevaluate its attitudes about the threat posed to its own information infrastructure. Sony clearly neglected its security infrastructure and has suffered the consequences. If other businesses recognize the real possibility that a network intrusion could happen, then build a company-wide culture that watches for it vigilantly, they'll have taken a big step towards avoiding Sony's mistakes.
To learn more about how to optimize your business's security from various types of attacks, check out our free webinar on social engineering.