9 Information Security Lessons Learned From the Sony Hack

information security lessons learned

You have no doubt heard the news about hackers infiltrating Sony’s internal systems. I find the implications to be astounding. For instance, the company has decided not to release the film “The Interview,” which was expected to gross over $130 million.

This incident reminded me of a conversation I had more than ten years ago with a client who told me that information security would one day be a huge business. Of course, in my infinite wisdom, it went in one ear and out the other. That business owner has since sold his company and is living very comfortably, while I continue to work every day.

Here are a few lessons we can all learn from the Sony hack:

  1. Be diligent about safeguarding passwords, especially at the top. The hackers didn’t steal passwords from the rank and file; they mostly targeted corporate executives who had access to almost all of the company’s files and sensitive information. On that note, you may also want to consider limiting access to your most sensitive files even for top executives in case their accounts are hacked.
  2. Monitor the outflow of information from your computer systems. By the time Sony recognized the problem, over 100 terabytes of information had been stolen. As a point of reference, this equates to the entire printed collection of the Library of Congress. Proactive monitoring can help identify and stop leaks before they become large scale.
  3. Protect your most valuable assets and don’t allow electronic access to this critical information. Sony had four unreleased films that wound up being distributed online as a result of the hack. Executive compensation and salaries for more than 6,000 employees were made public. Embarrassing e-mails were leaked and taken out of context. You may not be in the movie business, but every company has information it doesn’t want to become public. Limit access to your most sensitive information to prevent issues like these from happening to your organization.
  4. Have back-up plans in place in the event of a breach. Five days after the breach, Sony’s computer system was still inoperative. In today’s era of 24×7 business, this amount of downtime can cripple an organization.
  5. Write e-mails as if they could become public knowledge. Executives at Sony now risk losing their jobs over e-mails they assumed were confidential. Be careful about the electronic paper trail your employees create.
  6. Protect your employees’ privacy. Sony employees have already initiated a class action suit against the company. The employees, along with their families, had confidential health records disclosed online and were subject to threatening e-mails from the hackers. When you do not protect your employees’ information and expose them to risk, you stand the chance of ultimately being deemed liable.
  7. Keep your friends close and your enemies closer. I’m sorry to say there is now a real threat to free speech in that many companies will be forced to think twice before taking a controversial stand or publishing material that may be deemed offensive.
  8. Have a safety net of cash in case you need it. Sony will have spent millions, perhaps billions, by the time this matter has been settled. In situations like these it is critical to have cash reserves on hand so you can act quickly.
  9. Educate yourself on your potential risks and consider insuring those risks. Then make sure you understand your coverage. None of the executives at Sony realized the risks or the exposure of this type of attack. You do not want to find yourself in a similar position of having to play catch up at such an inopportune time.

Hackers could become the new terrorists in years to come. Companies need to protect themselves against cyber risks and be prepared with an action plan should an unfortunate event present itself.

David Shaffer, Kreischer MillerDavid E. Shaffer is a director with Kreischer Miller and a specialist for the Center for Private Company Excellence. Contact him at Email

 

 Subscribe to the blog

You may also like:

Leave a Reply

Your email address will not be published. Required fields are marked *