The massive scale of the cyber attack shows why top executives need to be more involved in shaping cyber strategy at companies.
Spooked by the Sony Pictures hack and the leak of sensitive documents, companies of all kinds are now scrambling to shore up their cyber defenses.
The movie studio’s breach is just the latest in a series of hacks in recent years, including attacks on Target TGT , Home Depot HD and JPMorgan Chase JPM that collectively compromised the personal information of tens of millions of customers. But Sony’s hack stands out as a more frightful example because of hackers’ unfettered access, the huge damage they caused and the ultimate capitulation to their demands, seen by Sony’s controversial — albeit short-lived — decision to shelve the comedy film The Interview.
“I think the scale of this impact on Sony is what’s going to make a lot of C-suites sit up and say ‘Wow, we really do need to take this seriously,'” said Rob Sloan, head of cyber data and content for Dow Jones Risk & Compliance.
Preventing similar hacks is easier said that done. Companies already invest huge amounts of money to keep their computer systems secure, with varying degrees of success. All it takes is one weak spot for a would-be intruder to exploit. Corporate security teams are redoubling their efforts following the Sony hack, fully aware that their businesses could very well become the next Sony-style victim.
The necessary precautions have remained essentially unchanged for years, Sloan said. Companies must make sure their software and security policies are up to date, and teach employees to spot any phishing e-mails, among other standard hacker tactics.
Even before the Sony hack, Forrester Research predicted that 60% of companies will uncover a breach of sensitive data at some point in 2015, while even more could have breaches that go unnoticed. And while Sloan says not to expect something of the magnitude of the Sony hack for at least another year, smaller, more focused cyber attacks should continue to pop up every few months.
Most companies are constantly under siege, but are able to deflect a high percentage of threats, Sloan said. Sophisticated attacks are bound to occasionally sneak through corporate defenses. The bigger the company is, the harder it is to ensure tight computer security.
What is essential, Sloan notes, is that companies assume that they will be hacked and have a strategy in place to detect any breach during its early stages to stop it from spreading throughout their networks. Sloan says spending on security technology is likely to increase in the wake of the Sony hack, but the best bet for nervous corporations is to invest in its security talent, whether that’s an in-house team or consultants. Top executives need to have regular conversations with those responsible for security to develop a strategy that identifies and protects data that is most important to their business.
In Sony’s case, hackers stole a huge trove including personal information, financial data, and trade secrets — or as Sloan put it, “the complete pillaging” of the company. Until Sony promised to cancel the release of The Interview, those responsible — North Koreans, according to the F.B.I. — slowly released the corporate data online, including embarrassing emails. Executives across the country could look at their own e-mails and imagine a horrifying scenario in which their private conversations were publicly exposed.
“They can see the damage being done and it’s potentially career-threatening for them and business-ending if they don’t have the funds to support them through their troubles,” Sloan said.
Sloan also suggests companies be less parochial and warm up to the idea of sharing data with rivals. He pointed to the finance industry, in which banks share information about hackings with each other through the Financial Services Information Sharing & Analysis Center, which even added Target and the recently-breached retailer’s financial arm to its membership roll.
“You can no longer work in isolation,” he said. “You have to see that your peers, or your competitors, are having the same sort of issues and that you can learn from each other if you’re willing to share.”
If suffering a catastrophic breach isn’t enough of an incentive for corporations to constantly work to improve their network security, there is also the prospect of lawsuits to consider. For example, Sony has already been hit by a lawsuit brought by former employees who claimed the company failed to do enough safeguard their personal information that ended up being leaked in public during last month’s hacking.
Gerard Stegmaier, a privacy and data security partner at the law firm Goodwin Procter, says it is natural to see a wave of litigation after the dust settles in a high-profile data breach. In addition to employee claims, investors can also sue if a breach destroys the company’s value and shareholders blame executives for falling asleep at the switch.
“If 2014 was the year of the data breach, 2015 is going to be the year of data breach litigation,” Stegmaier said.
What’s more, Stegmaier added that it’s very difficult for companies to prove they installed reasonable security measures, especially if those measures failed. Fearful of legal exposure, executives are increasingly talking with their computer system teams about network security rather than the traditional practice of letting them handle things themselves.
“Cyber security has moved from the data center to the boardroom,” Stegmaier said.
(UPDATE: The original version of this article mistakenly identified the law firm Goodwin Procter as Goodwin & Procter. The article has been corrected.)