The cyber-attack that exposed data security flaws at Sony Pictures just before Thanksgiving showed the entertainment industry—and, essentially, any large company—that every company has its vulnerabilities.
On the one hand, some critics have accused Sony of having lax controls. Whether that’s true or not, the uncomfortable truth is that organizations need to balance security with the needs of running a business, creating inevitable vulnerabilities, says Paul Proctor, chief of research for security and risk management at Gartner, in an article on the Guardian.
“The only way to fully protect yourself from something like this is to shut down your business,” Proctor says in the Guardian article. “A dedicated enemy with sufficient resources can compromise any security system. There is no such thing as perfect protection. This is just a demonstration of it. People who believe they can be protected are likely to have their trust shaken by reality.”
Sony employees in Los Angeles discovered the security breach when they logged-on to computers and were greeted with the image of a red skeleton and a mocking message: “Hacked By #GOP.” This allegedly is a reference to a group calling itself Guardians of Peace. In addition to leaking a number of both current and upcoming films, the hackers posted Sony employee passwords, employee performance appraisals, salaries and other sensitive information on-line.
The FBI is investigating. Additionally, earlier this week, the bureau issued a confidential five-page flash warning to security administrators at American corporations about a recently discovered form of destructive malware. The warning did not name Sony in the warning, but said that the malware was written in Korean and was “destructive” in nature. It commands a computer to sleep for two hours, after which the computer is shut down, rebooted and directed to start wiping all of its files, the agency said.
Nevertheless, the use of the Korean language in the malware may be a red herring. Security experts note that it is easy to insert fake Korean-tinged data into the malware and the Sony attack could very well be the work of disgruntled employees or former employees.
That possibility reminds me of a report earlier this fall, in which the Department of Homeland Security (DHS) and the FBI jointly announced they have seen an increasing exploitation of business networks and servers by disgruntled and/or former employees. Some of these cases have resulted in significant FBI investigations in which individuals used their access to destroy data, steal proprietary software, obtain customer information, purchase unauthorized goods and services using customer accounts, and gain a competitive edge at a new company.
Perhaps more troubling is that a review of FBI cyber investigations shows that the cost to businesses for these attacks by disgruntled or former employees ranges from $5,000 to $3 million, per attack. Businesses reported various factors were used to create those cost estimates, including calculating the value of stolen data, assorted information technology services, the establishment of network countermeasures, legal fees, loss of revenue and/or customers, and the purchase of credit monitoring services for employees and customers affected by a data breach.
What are your thoughts on cyber-security? From a damages point of view, there is no difference whether an attack was perpetrated by a disgruntled employee, a former employee or someone else. Be that as it may, is your company prepared for any type of cyber-attack?