What made Sony vulnerable to hackers (Part 2)
The company had been plagued by cyberinvasions in the past—what did it do wrong? And what can companies learn from this event? Fortune explains.
Sony has a really terrible history with hackers. They came under attack repeatedly. And if any one company should have been prepared for something like this, it was Sony. And they weren't. The FBI believes that hackers initially got into Sony's system through spear phishing email, which basically means that they targeted a particular message to an individual at the company, and inside of that message, there was malware or some sort of virus that jumped out and allowed them to gain a beachhead on the network. Many of the experts we spoke to said that the hackers were not super advanced. We spoke to one professor who said sort of a mid-level student could have pulled this off. Most hacks are done for commercial reasons or corporate espionage or secrets. This is a case where the purpose was to destroy information and embarrass a company. It's not entirely clear when the hack began, but the FBI believes that by the time it really surfaced, it was probably three months in. So for a period of months, the hackers are in there gathering huge amounts of information, which they then unleashed. Sony was paralyzed. They pulled the plug on the entire computer network. Everybody went back to using paper and pencil. And they dialed out on BlackBerrys, they used fax machines. Certainly no one imagined that exactly what happened would happen. But my reporting is that Sony had two explicit warnings that this was a possibility. They deny it. They say they got no warning of the danger of a cyber attack. That's their position. We did a poll of Fortune 500 CEOs where we asked them the greatest challenges they face. 2/3 said that cyber-security was either the top challenge or one of the top three or four challenges. So companies have woken up to the fact that this is a big threat they face, but they clearly haven't yet done what they need to do to protect themselves. When you look at the Sony hack or the Home Depot hack or the Target hack or the JP Morgan hack, you have to realize that you're next. Right now, Fortune 500 companies are being hacked-- right now. And the important thing is you need to shore up your defenses. Sony has rolled out a whole series of initiatives, and they overwhelmingly sound really good, assuming Sony implements all of them. For the first time, they're going to have a whole series of steps that will compartmentalize information and make it harder for one person to make off with a huge trove of information. One of the things I hear a lot from companies is it's hard to justify the hundreds of millions of dollars they're being asked to spend to protect themselves from cyber attack. But what costs more-- a bunch of software and a bunch of extra IT guys to handle these threats or the potential loss from information of actual financial assets, products, things like that? Companies are just going to have to belly up and deal with this as a kind of existential risk that's going to be with them no matter what software they buy or what else they do.