Sony Hack: A Turning PointBreach Will Lead More CEOs, Boards to Take Action
Like the Target data breach a year ago, the Sony Pictures Entertainment hack that's grabbed headlines in recent weeks will prove to be a catalyst for change, grabbing the attention of CEOs and board members and spurring them to beef up information security.
The incident is already sending a strong reminder that organizations shouldn't just be worried about the compromise of payment cards and other customer information; intellectual property is also at risk.
CISOs are now in the hot seat to see that their organization doesn't have its own 'Sony breach.'
While we still don't know the full extent of the damage at Sony, some security experts are already calling it a "game changer," in part because hackers used destructive "wiper" malware known as "Destover," or "Wipall," to infect and erase hard drives at Sony Pictures. It's apparently the first time such an attack has been launched against a U.S. organization (see: Sony Hack: 'Destover' Malware Identified). Attackers also stole and have begun releasing many gigabytes - and potentially terabytes - of Sony data, although it's not yet clear why.
"[The attack] was deliberate, sophisticated, targeted and malicious," says Mark Rasch, a former federal prosecutor who created the computer crime unit at the Department of Justice. "It was aimed at Sony, its officers, directors and management. It was intent on causing harm or damage. And it may have been state-sponsored."
One possible, although seemingly far-fetched, explanation for the Nov. 24 hack attack, some security specialists say, is that it was commissioned by the government of North Korea in retaliation for Sony's forthcoming comedy film, The Interview, in which a tabloid TV reporting team, heading to Pyongyang to interview dictator Kim Jong-Un, is approached by the CIA to kill him instead.
While referring to the film as a "terrorist act," however, North Korean officials have denied having any ties to the Sony hack. But in a statement issued Dec. 7, a spokesman for the country's National Defense Commission referred to it as a "righteous deed" that may have been launched by its "supporters and sympathizers" (See: Sony Suffers Further Attacks).
Sony Will Dominate Security Conversations
The Target breach offers a useful comparison to the Sony attack. Discovered in December 2013, the Target breach exposed 40 million payment card numbers and personal details of 70 million customers. As a result, Target faced millions in breach response costs, uprooted its executive team, and was forced to submit to several Congressional hearings (see: Target Breach: By The Numbers).
Thus, it's not surprising that one year later, the Target breach still dominates information security discussions.
Now the Sony hack - thanks to its size and drama - will dominate security discussions well into 2015. And clearly, there's still plenty of security work to be done. Indeed, if the Sony hack highlights one pervasive security shortcoming, argues management consultant and information assurance trainer William Hugh Murray, it's that too many organizations' networks are still quite "flat." As a result, compromising one user's credentials too often allows an attacker to "own" the whole network. And that opens the door for plenty of mischief.
Sony's attackers, for example, grabbed and posted five unreleased films - core assets for the movie studio. "The Sony breach should be taken as proof positive that intellectual property and entire organizations are now real targets for cyberthreats - not just imagined," says Tom Wills, director of consulting firm Ontrack Advisory. "We're going to see more of these attacks in the coming months and years."
The Sony breach will give more CISOs the board-level visibility that they need to get their jobs done. But as Wills notes: "That visibility will come at a price, though, with CISOs now in the hot seat to see that their organization doesn't have its own 'Sony breach.'"
Will CEOs' and board members' enhanced security awareness, post-Sony, be short-lived? That's what Tom Chapman, director of the security operations group at computer security firm EdgeWave, fears. "This will last for a while, and then once the media buzz around it dies down, CEO interest in it will probably die down as well."
In the wake of any high-profile breach, Chapman says, senior executives often review their organization's security posture and commit to some required improvements - and investments. Subsequently, however, it's all too easy for them to again become security-complacent.
Falling into complacency may be easy, but it certainly can prove costly if your organization is the next mega-breach victim.