The Sony hack and subsequent damage control should mean something to every business owner
The security industry has been warning the public about cybersecurity for so long that every time the world hears the word “breach,” it sounds just like “wolf!” For retailers and those responsible for securing credit card data, the Target breach in late 2013 probably changed that forever; for the rest of business owners, the Sony breach may mark that high-water moment.
I would venture that the vast majority of cyber and data breaches are motivated by greed — people who want to get their hands on credit card numbers or social security numbers so they can buy as much as they can with someone else’s money; or steal an identity so they can buy as much as they can with someone else’s money. Sony has changed that, at least from a large corporate perspective. The hackers behind the Sony breach — who U.S. intelligence officials reportedly believe are somehow affiliated with North Korea — aren’t truly motivated by your money. Yes, there are "hacktivist" groups like “Anonymous” that attack entities as a punitive measure to right what they perceive as a social or moral wrong. This breach seems to have taken that to a whole new level.
On Thursday, Sony announced it will no longer be releasing its movie, “The Interview.” Whether or not you think this is a cowardly or short-sighted move, the implications are multi-fold, but chief among them is: cyber fears translate into real-world ones.
Lessons for Business Owners
If the Sony breach teaches you anything as a business owner, it should be to pick up the phone — you know, that thing on your desk that you rarely want to touch unless you are a salesperson. The hacked Sony emails and internal memos exposed sacred information from healthcare needs and medical records of its employees, to privileged information about revenues and salaries, to private conversations about all kinds of things related to movie making. Unless you plan to protect all of the privileged information that you keep as a business, it may be best to keep it inaccessible.
“Cyberattacks are now becoming a worryingly effective tool for spreading fear and economic damage,” says Brendan Rizzo, Technical Director for Voltage Security, a cyber-protection firm. “This is why it is so important that companies give their utmost attention to protecting their sensitive customer, employee and company data in a best-practice, data-centric manner to shield themselves from any such attacks, including encrypting emails to protect sensitive information.”
This goes for security firms as much as any other business. Could you imagine the nightmare scenario of your internal documents and emails being made public? Putting aside the utterly devastating embarrassment factor for a moment (a real-life pipe dream of course), what would your clients and prospects think of a security company that couldn’t keep its own information secure? Sure, North Korea may not be hacking into your accounts, but have you considered an unscrupulous competitor — someone who wanted to move into your service market or area — who could do the same thing? Unlikely? Of course…but it's possible.
“Too many organizations have flawed security protecting their data, they know it, and there are people yelling about it to executives who continue to demand passwords be emailed to them when they forget,” says Jonathan Sander, Strategy & Research Officer for STEALTHbits Technologies. “As those executives read these news stories and see themselves in these people, maybe it will be a catalyst for change.”
To quote the great singer Bob Marley: “Before you start pointing fingers...make sure you hands are clean.” You may not offer cybersecurity services, or you may be running a small business — but as a security company in any capacity, you had better be using them. The ramifications of not doing so could be catastrophic to your company.
Paul Rothman is Editor-in-Chief of Security Dealer & Integrator magazine (www.secdealer.com).