The Sony hack not only sidelined a major film, “The Interview," but it is beginning to look as if the data breach may be worthy of a Hollywood movie itself. The intrusion which exposed sensitive company and employee data has drawn widespread scrutiny on how it happened as well as how it has been handled, even leading President Obama to weigh in.
"Sony Pictures’ severe data breach went far beyond massive security incidents large companies as Target and The Home Depot faced. In this case, the attack wasn’t hidden, as well as it wasn’t made for the sake of reselling personal data on the black market. The criminals meant to damage the company itself," points out Michael Fimin, CEO and co-founder of Netwrix. The hack exposed the company’s intellectual property, employees’ personal information, embarrassing corporate correspondence and internal strategy information in an effort to collapse the company's brand and reputation among its audience, employees, partners and clients, he added.
The still-unfolding events are placing a renewed focus on enterprise data security. “The question of who is behind the attack is really the wrong line of thinking. Sony and other large-scale breaches we have seen over the last year reveals that we are at an inflection point with cybercrime directed at our critical infrastructure,” agreed Ken Westin, security analyst for Tripwire, a provider of security and compliance solutions.
In October 2014, Unisphere Research released a survey conducted among IT managers and professionals who are members of the Independent Oracle Users Group (IOUG) to examine the current state of data security. The results of the study, “DBA-Security Superhero: 2014 Enterprise Data Security Survey,” paint a picture of concern.
According to the survey report authored by Unisphere analyst Joe McKendrick, more respondents believe a data breach is inevitable than believed so when the first study of this type was first conducted in 2008. In 2008, 20% of respondents predicted a breach to be likely while in 2014, that percentage rose to 34%.
Two-fifths of respondents admitted they are not fully aware of where all the sensitive data in their organizations is kept. And data security audits still remain few and far between. Respondents are concerned about not only the risk to data posed by outside hacks but also human error and abuse of access privileges.
Call it cyber-terrorism or simply “cyber-vandalism,” there is no doubt that the recent Sony incident, which reportedly spans systems, servers, and databases, has escalated the concept of a corporate data breach to a level never seen before.
The Risks Associated with Data Security Lapses
“Now is the time for companies to stop living in the past,” stated Suni Munshani, CEO of Protegrity, a Connecticut-based provider of enterprise data security software and services. “Attackers have gained ground and are 10 steps ahead of today’s typical enterprise. Companies must view security as a dynamic challenge and use the best technologies to protect their data if they hope to stand a fighting chance.”
According to Westin, “Many executives fail to comprehend the staggering risks associated with cyber-security because they don’t understand what is at stake. They don’t understand the value of the data on their network and they consistently underestimate the damage a serious data breach can cause.” Echoing widespread estimates, Westin noted that the cost of the Sony breach “will probably exceed $100 million in terms of hard costs.” The total potential cost has been estimated by Bloomberg.com to be as high as $200 million, if the cost of making the film is included.
“The Sony Pictures Entertainment breach is unprecedented in terms of the scope of the compromise, as well as the media frenzy and political implications surrounding it,” noted Westin. “The really scary thing is that the Sony attackers wanted everyone to know about the compromise; right now there are a number of businesses whose networks have been compromised just as badly, they just don’t know it because their attackers have no public agenda.”
A Trail of Recent Data Breaches
This breach may have been among the biggest and most riveting, but there have certainly been many others in 2014, most notably in the retail arena, and it is time for companies to take notice and start being more vigilant, say data security experts.
“Criminals are no longer just targeting payment card information; they are targeting any kind of data that is sellable on the black market and/or can change the behavior of a company,” said Jonathan Spruill, managing consultant at Trustwave, a Chicago-based company that provides technology and services to help companies fight cybercrime, protect data and reduce security risk. Citing the company’s 2014 Global Security Report, he said, 45% of data thefts in 2013 involved non-payment card data. “While payment card data continues to top the list of the types of data compromised, we saw a 33% increase in the theft of sensitive and confidential information such as financial credentials, internal communications, personally identifiable information and various types of customer records. The increase goes to show that criminals are increasingly seeing value in compromising any kind of data – even if they cannot sell it for a profit.”
“The retail breaches we’ve seen this year should be seen not as individual breaches, but as a wholesale compromise of our financial system,” added Tripwire’s Westin. “Collectively, these breaches have had a significant impact on the U.S. economy and consumer confidence and are feeding a general sense of national vulnerability.”
The key takeaway from this breach says Fimin is “Avoid false sense of security." it is a mistake to think that expensive security policy components are effective by default, he notes. Instead, he said, "Assume that your IT infrastructure has already been breached and try to think as a hacker. Where he goes next? What he might search? According to this segment your network and make access to sensitive data as complicated as possible. Always know what is going on across the entire IT infrastructure. Complete visibility will ensure that no malicious activity is unnoticed. This practice will not only save you from security violations, but also will help early detect a breach and fix vulnerability before it’s too late."