Earlier this month, Sony Pictures Entertainment got hammered by one of the most extensive, and arguably most embarrassing, hacks we’ve seen in a long, long time. And, just like a Hollywood blockbuster, we’ve all had a front-row seat to watch the fallout.
Losses have already been estimated at over $100 million. Details of how Sony’s most influential executives really feel about their most high-profile talent has been revealed. Unsavory internal exchanges that nobody would want aired in a public forum have come to light. And perhaps the worst part — Sony’s own employees could personally be at risk of future attacks after having their private information stolen.
Whether or not someone will lose his job for architecting “good enough” security at Sony remains to be seen, but it’s clear already that whoever’s responsible for Sony’s information security probably wasn’t doing their job very well in the first place. So, while Sony reels from the consequences of being caught with its security pants around its ankles, security professionals and CISOs everywhere should take a moment to reflect on their own risk of exposure.
Sony’s is a cautionary tale of how even the most well-funded, tech savvy companies aren’t able to keep up with the growing size and sophistication of today’s cyber attacks. Making matters worse, even those doing their best often don’t consider mobile devices as one of the ways cybercriminals will get inside their digital perimeter.
Take for example Sony’s immediate reactions just after discovering it was under attack. Most interestingly, it quickly instructed employees to turn off their mobile devices, and asked them not to connect devices to its Wi-Fi network.
Asking employees to turn off their smartphones and tablets if you think an attack is imminent or in-progress is like burning down your house if you think you’re being burglarized. It’s simply not a viable strategy for keeping valuable, sensitive information out of harm’s way. Not to mention the productivity impact it could have by shutting off some of the key tools that employees use to do their jobs.
Sony is working with the FBI to investigate the incident fully, and it hasn’t provided further details, so the rationale for these decisions is pure speculation. But its knee-jerk, all-or-nothing reaction about mobile phones is a fair indication that Sony, like many organizations, lacks a strategy for how to handle advanced mobile threats effectively.
Mobile security isn’t a static list of rules and regulations. It’s a dynamic environment where requirements and policies have to be flexible enough to change depending on the threat and your tolerance of the risks to which you’re exposed.
With so many variables at play between types of devices, applications and networks, it’s critical for organizations to build a strategy to detect these threats, and to protect devices than with solutions that enable a comprehensive and proactive strategy for mobile security.
Also, cyberattacks aren’t just the hobby of geeks in a network closet or thugs in a far away land. Cyberattacks are a serious business, with attacks being launched by sophisticated groups and even nation-states with vast financial resources and enormous technical expertise.
As for Sony, only time will tell just how extensive and expensive its breach will wind up being. The luxury of having that front row seat, though, is that it gives you the opportunity to learn from someone else’s mistakes before you make them yourself.
End scene.