Request your free Security Rating Snapshot to find the gaps in your security program and how you compare to others in your industry.
As you've heard by now, Sony Pictures suffered a major breach in November, and is still feeling the consequences of it. The FBI warned that other companies could be attacked with similar malware, but that isn't the only reason you should care about this event in particular.
The Guardians of Peace (GOP) have leaked a variety of types of data, and claim to have 100 terabytes of information that could be slowly brought to the public's attention.
According to one report from Re/code, the attack could cost Sony as much as $100 million. However, it usually takes about half a year to determine the total cost of a breach. In this instance, it could depend on how slowly GOP leaks out the data it claims to have compromised to understand the overall impact.
Sony lost personal communication records, business and intellectual property, in addition to the healthcare records of its employees.
Because of the variety of the data stolen, the company may have to restructure more than just its network. A CSO Online piece mentioned that the loss of Sony's sales and marketing plans could end up being the biggest blow to the company's profits.
Sony seems to be satisfying at least some of the demands from GOP, as this video explains. "The Interview"-- which is believed to be the inspiration of the attack in the first place-- will not be shown in theaters in Asia. Also, the film production company canceled all interviews with the cast of the movie.
Depending on any negotiating the company does with GOP, those may not be the only changes to how "The Interview" is promoted.
UPDATE: After initially leaving the decision up to movie theaters, Sony has since pulled "The Interview" from running due to some reported terrorist threats. It's still unclear what North Korea's role was in the breach (if it was involved at all), but the film was stopped as a precautionary measure.
The Takeaway: How to Avoid Becoming the Next Sony
In the past, Sony underestimated the importance of cyber security. In 2006, then-CISO Jason Spaltro said, "I will not invest $10 million to avoid a possible $1 million loss." The landscape has changed considerably since then, but it doesn't appear the company's stance has adapted accordingly.
Companies should be doing whatever is necesary to mitigate their cyber risks today, because attackers aren't just after financial information. Attackers are becoming more sophisticated both in how they obtain sensitive information and how they can use it to achieve their goals.
Some of the company's trade secrets and other sensitive information were leaked, such as the fact that Sony was working both with and against Google in different anti-pirating initiatives. With so much previously-confidential information now out in the open, a couple of large questions put Sony's future profits at risk:
- Will movie stars and other production companies want to work with them?
- Will the organization have to change its structure or leadership style?
The breach opens up more questions than it answers, but one thing is certain: businesses that take information security seriously enough to monitor their performance will reduce their chance of a similar event happening to them.
If you'd like another example of a breach you can learn from, read our post about the takeaways from the JPMorgan breach.
UPDATE: BitSight CTO and Co-Founder Stephen Boyer was quoted in an NBC News story about the implications of the Sony breach. He specifically discussed the challenge the attack would have posed for most companies and governments.