From Fortune, by Tom Huddleston, Jr.
The massive scale of the cyber attack shows why top executives need to be more involved in shaping cyber strategy at companies.
Spooked by the Sony Pictures hack and the leak of sensitive documents, companies of all kinds are now scrambling to shore up their cyber defenses.
The movie studio’s breach is just the latest in a series of hacks in recent years, including attacks on Target, Home Depot, and JPMorgan Chase that collectively compromised the personal information of tens of millions of customers. But Sony’s hack stands out as a more frightful example because of hackers’ unfettered access, the huge damage they caused and the ultimate capitulation to their demands, seen by Sony’s controversial — albeit short-lived — decision to shelve the comedy film The Interview.
“I think the scale of this impact on Sony is what’s going to make a lot of C-suites sit up and say ‘Wow, we really do need to take this seriously,’” said Rob Sloan, head of cyber data and content for Dow Jones Risk & Compliance.
Preventing similar hacks is easier said that done. Companies already invest huge amounts of money to keep their computer systems secure, with varying degrees of success. All it takes is one weak spot for a would-be intruder to exploit. Corporate security teams are redoubling their efforts following the Sony hack, fully aware that their businesses could very well become the next Sony-style victim.
The necessary precautions have remained essentially unchanged for years, Sloan said. Companies must make sure their software and security policies are up to date, and teach employees to spot any phishing e-mails, among other standard hacker tactics.
Even before the Sony hack, Forrester Researchpredicted that 60% of companies will uncover a breach of sensitive data at some point in 2015, while even more could have breaches that go unnoticed. And while Sloan says not to expect something of the magnitude of the Sony hack for at least another year, smaller, more focused cyber attacks should continue to pop up every few months.
Most companies are constantly under siege, but are able to deflect a high percentage of threats, Sloan said. Sophisticated attacks are bound to occasionally sneak through corporate defenses. The bigger the company is, the harder it is to ensure tight computer security.
What is essential, Sloan notes, is that companies assume that they will be hacked and have a strategy in place to detect any breach during its early stages to stop it from spreading throughout their networks. Sloan says spending on security technology is likely to increase in the wake of the Sony hack, but the best bet for nervous corporations is to invest in its security talent, whether that’s an in-house team or consultants. Top executives need to have regular conversations with those responsible for security to develop a strategy that identifies and protects data that is most important to their business.
In Sony’s case, hackers stole a huge trove including personal information, financial data, and trade secrets — or as Sloan put it, “the complete pillaging” of the company. Until Sony promised to cancel the release of The Interview, those responsible — North Koreans, according to the F.B.I. — slowly released the corporate data online, including embarrassing emails. Executives across the country could look at their own e-mails and imagine a horrifying scenario in which their private conversations were publicly exposed.
“They can see the damage being done and it’s potentially career-threatening for them and business-ending if they don’t have the funds to support them through their troubles,” Sloan said.