Lessons from Sony
Let’s face it, most of us (and our businesses) will never experience the volume and sophistication of attacks that an organization like Sony can expect to. We look around and think; “who would want to hack a small business that resells widgets?” Or “We’re just a local nonprofit. Who would be interested in hacking us?” The truth of the matter is that we are all potential targets. After all, identity thieves don’t just target millionaires.
True, most of us shouldn’t have to spend nearly as much as a Sony-like entity does on IT Security. Also true, 90% of security (IT or otherwise) is really just about applying common sense. What always surprises me is that even organizations like Sony who should know better simply fail to use simple, common-sense practices (that cost $0 to implement.)
This AP article about the hack is interesting for many reasons. But one thing that leapt off the page was this:
“The emails show CEO Michael Lynton routinely received copies of his passwords in unsecure emails for his and his family’s mail, banking, travel and shopping accounts, from his executive assistant”
We are talking about the CEO of a company that had already experienced traumatic hacking incidents still relying on the equivalent of someone leaving a loaded gun on the kitchen table for him to pick up when convenient.
It is entirely possible that, even had every Sony employee followed every Best Practice available, hackers would still have been able to break in. After all, our Industry has to anticipate threats that don’t even exist yet, something Donald Rumsfeld eloquently described as “known unknowns” and “unknown unknowns.” So, yes, it is possible that a hacker group could have come up with something really clever against which no defenses had yet been devised. It is also possible that defending against sophisticated threats simply cost more than Sony was willing to pay, making an informed decision based on risk and costs.
But it would have cost precisely zero dollars for the CEO to tell his assistant not to send him (or anyone) unencrypted passwords, ever. Indeed, this kind of behavior makes all other Sony IT security expenditures useless. And, therefore, we can also assume that other (most?) Sony employees were similarly lax in employing common-sense security practices, providing many openings for a hacker group to help themselves to sensitive data.
The lesson for the rest of us is that we can and should follow common-sense practices as well as deploy hardware and software security solutions.