Imagine top military brass planning attack and defense strategies for cyberwarfare, leaning over a table and pushing miniature figures around, trying to predict how hackers might bring down a major organization. Perhaps it's actually not too hard to imagine, given recent events. We've watched a real-life scenario unfold, with all the gory details of Sony's breach laid bare before us in business, technology, and pop-culture press.
The damage to Sony has been significant, but for everyone else, it's an opportunity to imagine what might happen if a cyberattack targeted data and assets more critical to our country.
To be clear, the breach of Sony Pictures Entertainment didn't unveil any new, alarming cyberwarfare techniques. We have seen the attributes of this attack many times in the past:
- Workforce disruption; Saudi Aramco was hit by a similar attack in 2012, effectively taking its entire workforce offline.
- Personal data and intellectual property exposed; Adobe suffered an attack in 2013 that exposed customer data as well as source code for a number of its software products.
- Official blame placed on a foreign government; The U.S. government in 2013 directly accused China's military of mounting cyberattacks against American defense contractors and government agencies.
- Immediate customer impact; Coincidentally, one of the most prominent examples of a cyberattack preventing a company from delivering a product to its customers was the 2011 attack on Sony's PlayStation Network (which experienced a similar attack and outage yet again in the past several days).
What is different about this most recent attack on Sony Pictures, however, is how many people are paying attention to it. People who haven't thought about information security much beyond their social media privacy settings or password management strategies are asking very legitimate questions about what happened: Could Sony have foreseen this kind of assault? Is Sony responsible for any of the damage based on its actions before, during, or after the attack? How could our federal agencies and Sony have responded better?
As customers, employees, managers, and investors, it's important that we keep asking these questions. The Sony attack provides a terrific context for us to have these conversations with the people who run our businesses and government agencies. There are 5 fundamental issues that the Sony case study has exposed for us:
We don't know how to evaluate liability for information-security breaches. It would be difficult to call any company negligent for getting hacked; even the most sophisticated organizations can't stop every attack. Still, insurance firms and the legal system will have to decide what constitutes reasonable efforts to protect data. When a company like Sony loses so much critical information — employee data, movies and scripts, sensitive emails, etc. — you have to question whether they had even fundamental security capabilities like encryption and network monitoring.
We still don't understand the real threat of coordinated physical and logical attacks. In this entire episode, the outcome that got by far the most attention was Sony's decision (and subsequent reversal) to not release "The Interview" in theaters. While this movie was seen as a catalyst for the cyberattacks in the first place, pulling it from distribution only happened after threats of physical attacks that the U.S. government deemed not credible. Physical safety must be taken seriously, but we need better coordination between corporate and government stakeholders to evaluate whether cyberattack capabilities have any legitimate connection with physical attack capabilities. In some cases, they will, but at this point, it's extremely rare.
Regulations help in many ways, but in information security today, compliance means very little. Companies that suffer massive data breaches are often compliant with applicable regulations, and Sony was no exception. This doesn't mean compliance is worthless — it means that regulators and auditors still focus too much attention on a checklist of technical controls instead of the processes and decisions related to information security. For example, Sony may have had great protection for its customers' credit card information and financial systems to meet PCI and SOX compliance, but it failed to protect non-regulated data like executive emails and movie scripts, which caused tremendous damage when exposed. Regulators and auditors should look at a broader scope of risks and make sure processes are in place to identify and address them appropriately.
Companies use risk management incorrectly to justify bad decisions. Sony has a long-standing risk management program, and statements by company executives over the past 8 years suggest that they assessed risks on an ongoing basis. They even justified passing on information security investments by calling a $1 million loss from a data breach an acceptable risk. However, if they had conducted a comprehensive risk assessment that considered all the negative impacts a breach would have on the company's reputation, relationships with producers and actors, earning potential of future releases, workforce production, and customer sentiment, they would have realized they had severely underestimated the damage a cyberattack might do.
The potential for revenue loss should be a critical warning sign for all companies. The vast majority of past breaches have involved customer data, and customers have often responded by taking their business elsewhere, at least temporarily. However, attacks against Sony have taken out its PlayStation Network, exposed unreleased movies, and interrupted production of new content. This kind of direct, negative impact on revenue is a new wrinkle in information security, and it should convince executives and boards of directors in all sectors that information security and risk management are fundamental requirements of a profitable business.
As we continue to watch consequences of the Sony breach unfold, these issues should be top of mind for all business people, not just security and technology specialists. And if you're shopping with, investing in, or working for a company that deals with sensitive information of any kind — make a 2015 New Year's resolution to check whether top executives at that company are properly assessing, discussing, reviewing, and addressing information risks.
Commentary by Christopher McClean, vice president and research director at Forrester Research, serving security and risk professionals.