It was one thing when the after-effect of the Sony hack centered mainly on the release of distasteful e-mails, the release of confidential employee information and the unauthorized release of movies that have not yet been released to theaters. However, in recent days the nature of the threats from the hackers has dramatically escalated. All of this leaves executives at other companies wondering just what—if any—information is actually secure anymore.
As an editorial in the Chicago Tribune noted, the humor went out of the spectacle when the hackers sent a message to all Sony employees warning: “Not only you but your family will be in danger.” Since then, threats have been directed at the New York premiere of Sony’s movie “The Interview” on December 25 and at theaters that show the film.
The threat, which invoked the Sept. 11, 2001 terrorist attacks, has been widely reported over the past couple days. It also warned that people should avoid going to theaters where “The Interview” is playing.
It was no surprise then that theaters and chains began to announce they would not screen the film. Later today, Sony announced it would cancel next week’s planned release of “The Interview,” after most of the country’s largest theater chains had decided not to show it.
The larger risk for Sony, the risk for every company and really, every individual, is the now- common theft of sensitive digital information. Consider that over the course of the past year, the list of victims include retailers Target and Home Depot, and JPMorgan Chase—the nation’s largest bank. Then again, the White House, State Department, Postal Service and National Oceanic and Atmospheric Administration have all been hacked as well.
“What this shows is that the IT guys tell the board and top management they’ve got the problem under control, and everybody goes back to business as usual,” says Adam Epstein, a corporate consultant with Third Creek Advisors, in a Bloomberg Businessweek article by Paul M. Barrett. “The weaknesses you see at Sony and other companies, large and small, can’t be fixed by installing one more firewall or some new antivirus software. By the time the good guys zig, the bad guys are already zagging.”
Furthermore, the malware used against Sony Pictures “would have gotten past 90 percent of the net defenses out there today in private industry,” Joseph Demarest, assistant director of the FBI’s cyber division, recently told the Senate Banking Committee, the Businessweek article reports.
Be that as it may, another misstep by Sony was that files were plainly labeled. Instead, Sony’s most valuable material—contracts with actors, directors, and investors and such intellectual property as unreleased films and scripts—ought to have been isolated from central data-storage systems connected to the Internet so it was much more difficult to find, Epstein says in the Businessweek article. This would require essentially non-technical decisions to invest manpower and money that could transform the castle keep into more of a labyrinth, he explains.
The simplest takeaway from the Sony situation is that too many companies have a lasses-faire attitude about e-mail. For instance, much of the sensitive information that was hacked from Sony was either in e-mail or was in documents attached to e-mail. Security experts often warn that all employees—from the CEO down—should restrict e-mail content to what wouldn’t be damaging if it were lost.
In the end, I think there are more questions than answers. For example, are people now numb to the ever-increasing threat of cyber-attacks? Secondly, what if instead of Sony, the hacking victim was a global manufacturer and its intellectual property was stolen? Even more troubling, what if the hacking concerned municipal infrastructure and resulted in a power-grid failure or other large scale disaster?