What we’ve learned from the Sony Hack of 2014
November 24, 2014 marked one of the most devastating cyberattacks on a private corporation to date. The attack, which infiltrated the highest levels of Sony Pictures Entertainment (SPE), illustrates not only how vulnerable most companies are to hacking, but provides a strong case for why companies need to invest more robustly in IT security.
It was a Monday morning. As SPE employees turned on their computers, the horror began. Monitors displayed the frightful image of a skeleton bathed in red light over decayed faces of SPE executives, accompanied by sounds of gunfire. The message was that the Guardians of Peace had hacked SPE’s computers and would release sensitive information if its orders were not obeyed.
SPE management was blindsided. More than half of SPE’s 1,555 servers and 3,262 of SPE’s personal computers were wiped of all stored data and operational capability. Within an hour, most of the destruction was done. Only then did SPE’s IT personnel learn that the attack had been ongoing for months before showing itself, stealing the data it then destroyed that fateful morning. They learned the hackers accessed a “confidential” current audit of SPE’s entire computer network that they used as a roadmap to destruction against SPE. More than 47,000 social security numbers, medical records, salary lists and documents detailing intra-office affairs and unreleased movie scripts were leaked to public file sharing or piracy websites for free viewing and downloading.
Less than a month later, the FBI announced that North Korea was behind the hack. Investigations revealed that the government had issued threats against SPE because of the film “The Interview,” which focused on a plot to kill the North Korean leader. Since then, SPE has completely re-engineered its cybersecurity system, including updated protocols, equipment, employee training and firewalls. SPE’s damage and losses, much of which are uninsured, may well exceed $80 million. Contrast this with the casual remark of SPE’s lead IT officer made prior to the hack: “I will not invest $10 million to avoid a possible $1 million loss.”
Reports of other severe hacks dominate news headlines. From April to September 2014, Home Depot suffered a cyberattack that compromised 56 million credit and debit card numbers and some 53 million customer email addresses. Two months later, Partners Healthcare fell victim to a phishing expedition that stole 3,300 patient personal files (Phishing is a method of obtaining sensitive information by email impersonation). In January 2015, Anthem Blue Cross-Blue Shield lost personal information for more than 80 million consumers.
Even the Federal government is not immune. In June of this year the U.S. Office of Personnel Management revealed that personal data had been stolen for more than four million federal current and former employees. In August, the Internal Revenue Service admitted that a February 2015 hack, which mined data until it was discovered in May, stole data on almost three times the number of taxpayers than originally disclosed.
And it’s not just the U.S. government and large corporations that are targeted. It has been estimated that 71% of cyberattacks occur at businesses with fewer than 100 employees. The cost of such attacks can be extreme. The 2015 average cost of a data breach in the U.S. is approximately $217 per compromised record–up nearly 6% from 2014.
In this day of the Internet of Things, product developers are of concern as in January 2015, the Federal Trade Commission weighed in on data security for new products. The automotive industry offers a prime example of this need to consider cybersecurity in product development. Fiat Chrysler Automobiles NV recently recalled 1.4 million vehicles after researchers in product hacking showed an ability to a control a Jeep’s transmission (cutting engine power to wheels), stereo volume, windshield washers and wipers, air-conditioning and GPS, as well as disabling brakes, from a basement laptop 10 miles away. A 2015 U.S. Senate Report details vulnerability through some 50 separate electronic control units in internal vehicle computer systems. Even the cutting-edge Tesla Model S proved vulnerable to cyberattack at the August 2015 DEF CON hacker conference.
The devastating impact of these actual hacks, the potential damages from known hacking experiments and the lessons learned are a warning bell for executives. Those who believe data breaches are rare, or will not happen to them, are fooling themselves. With hacks now as common as a winter cold, the question is no longer “if,” but “when.” Any organization with an IT system needs to be sensitive to the potential of being hacked, and proactively act to protect itself. Indeed, it is predicted that increased cybersecurity project spending will exceed all other IT projects in 2015.
Of course, no protection plan is foolproof and no cybersecurity system is failsafe. Simple anti-virus personal security programs no longer effectively prevent any virus or worm infiltration but do act to decrease vulnerability and increase damage control. However, likelihood of a breach and the resulting damages can be diminished by taking responsible steps to secure one’s IT system.
What can be done? Consider the old axiom that “The surest defense is offense.” Applied to cybersecurity, it means management adopting a proactive position throughout the company, including a vigorous protection and response program incorporating active employee training and careful password protection, including multi-factor system access identifiers.
Management should also develop an Incident Response Plan (IRP) before a breach occurs. While no IRP will perfectly anticipate all issues stemming from a particular breach, it provides management a prospective look at IT vulnerability and the steps necessary to respond when the breach occurs. The IRP should also address notifications to send to third parties and government entities and, likely, the public. There currently is no national standard in the U.S., although legislation is proposed before the 114th Congress (2015-16).
Finally, the IRP must contemplate how to assess damage from the hack–from productivity to reputation loss, as well as direct costs incurred as the result of the breach. Preservation of data, chains of custody and documentation must be preserved, tracked and stored in a secure base.
This is no minor task. Rather, a comprehensive IT and data audit must be undertaken as the organization develops its IRP. Due to the comprehensive nature of this effort, it is critical that key leaders of the entity be involved in the decision making process. General counsel, as well as outside counsel familiar with cybersecurity issues, should be involved in development of the cybersecurity planning at the outset and particularly in the IRP process. For publicly held companies, this also means assuring board involvement.
Cybersecurity’s intellectual property focus is on the protection of trade secrets–customer/patient databases; personal information of customers, employees and vendors; product or service research and development; competitive product formulas, recipes and designs, computer algorithms, computer codes and any other of the vast array of valuable corporate treasure on hand. Much of this is “Bet the Company” types of information if breached.
Business owners–small and large–need to think like the bad guys and determine what attackers might want most. It could be intellectual property, trade secrets, customer lists, customer credit card information or perhaps a means to gain entrance into a larger client or customer. Assuming security codes are clean, it might make sense to outsource security operations to further protect small businesses.
Most important in minimizing the impact of a breach is the purchase of cyber-risk insurance for after-the-fact protection. Such insurance covers liability for exposing confidential information, payments for notifying customers of the breach, and providing customers with appropriate credit monitoring services. Policyholders cannot simply think the purchase of such insurance without more will protect them. For instance, IT service provider vendors must be evaluated to assure they meet appropriate cybersecurity practice standards required by insurers.
The lessons of the North Korean hack on SPE and the other examples mentioned above should stand for a long time. Unfortunately, too many companies share the same vulnerabilities as SPE, including lax and shoddy cybersecurity procedures, as well as a lackadaisical approach to employee training in cybersecurity issues. Hopefully, though, this high-profile hack job serves to open the eyes of business owners and motivates them to take preventative action.
Contact: Craig A. Marvinney