The Changing Threat Posed by Recent Cyber Attacks

The last 18 months have been a bonanza for cyber criminals. In January, 2014 Target announced that personal information had been stolen from over 110 million accounts; over 83 million accounts at JP Morgan were hacked in August and in September Home Depot acknowledged that 56 million customer accounts were accessed when its payment system was breached. Other well known companies were victimized as well: Neiman Marcus, Yahoo! Mail and even PF Chang’s China Bistro all reported major breaches involving customer data. Just before the start of the 2014 Thanksgiving holiday, news reports began to emerge about a potentially significant data breach at Sony Pictures. Today, months after the 2014 Sony cyber attack, It has become clear that this breach was a watershed moment in corporate cyber security culture across the globe. It is incumbent on enterprises not to just take notice of these events, but to take a proactive approach to handling cyber security. Using lessons learned from prior breaches, there are steps that companies can take now to minimize the risk of a damaging data breach.

The nature of the 2014 Sony breach has exposed a whole new vulnerability to American enterprises. In previous large breaches, such as the Target or Home Depot cyber attacks, the damage was typically limited to repairing relationships with harmed parties. A class action lawsuit from customers or employees whose data was compromised and efforts to strengthen networks to prevent further attacks were what was generally required in response. The 2014 Sony breach was different in that a major company asset was threatened and ultimately diminished in value when Sony decided not to release the major motion picture The Interview in theaters. It stands to reason that hackers observing the fallout from the 2014 Sony breach, as well as breaches at Home Depot, JP Morgan and others are feeling empowered at the moment.

The fallout has had a significant impact on Sony Pictures: salaries of top executives were released; personally identifiable information (“PII”) like criminal background checks and social security numbers of thousands of employees were released; scripts from projects in development were uploaded to the internet; and as a result of the breach as well as threats of physical violence against movie theaters, Sony declined to release The Interview in theaters. Eventually Sony Pictures co-chair Amy Pascal resigned. In all, the hackers claim to have taken anywhere from 12 to 100 terabytes of data from Sony, potentially costing Sony up to $100 million in investigation and repair costs as well as lost productivity, according to cyber security experts who have studied past breaches.

In house attorneys and information security professionals are now on notice that cyber threats are, in the words of President Obama, an “urgent and growing danger”. Fortunately, there is a path to greater security for your organization. These precautions may be costly in up-front time and money, however a robust data security system needs to effectively prevent a Sony-style hack only once to be prove its worth. After Sony, companies have a new reason to protect their information systems. The data of customers is no longer the only target – the enterprise itself is now in the crosshairs. For these reasons, organizations should not wait to begin implementing data security plans, built on these considerations:

1. Accept that all enterprises, including yours, are potential targets. Hackers have shown that they are motivated by a range of reasons, from the financial to political to personal and beyond. Historically it was enterprises with sensitive customer data such as financial services firms, retailers and restaurants that bore the brunt of cyber attacks. The Sony breach illustrates that no industry is exempt from finding itself on the radar of a cyber criminal.
2. Form a response team composed of high-ranking officers in the company: CFO, Head of HR, someone from the legal department and the CIO or CISO. In the event of a breach each of these departments will have to make important strategic and tactical decisions on an urgent timetable. Reports have surfaced that a delayed response by Sony management in the days following the attack exacerbated confusion and stress experienced by Sony employees left wondering what steps they needed to take to protect themselves. It is better to have a playbook in place prior to an incident than to scramble after damage has been done. For example, knowing who provides coverage when a key team member is out on vacation can save critical hours or days. If an incident occurs, everyone refers straight to the playbook.
3. With large organizations in particular, it will be necessary to federate your cyber breach response, to ensure a coherent approach. This was not Sony’s first high profile cyber breach. Sony’s PlayStation Network was hacked in 2011 and valuable protocols were implemented in the aftermath. However too many of those protocols did not filter down throughout the Sony enterprise globally, which employs over 140,000 employees in over 100 subsidiaries. Industry analysts have observed that the Sony Pictures people may have had little knowledge of what protective measures were in place at the PlayStation Network. (for more information please see “Why Sony didn’t learn from its 2011 hack”, Fortune.com, December 24, 2014) When developing a unified cyber security response program across a large enterprise, be sure to involve information security experts (internal or external) earlier rather than later. These professionals can be expensive during preparation stages of a data security plan, but they are much more so when brought in for incident response. If you are proactive, prior to a breach these experts can assist with data mapping, which can save a large organization with complex data platforms valuable time in its response by identifying what data is stored within the organization and where it is expected to be held. In organizations where personally identifiable information is stored, a Privacy Impact Assessment will also help identify particular areas which may need added security.
4. Steps four through seven are not specifically derived from the Sony hack but are worth mentioning in an effort to be comprehensive. After drafting a playbook, take the next step and practice tabletop exercises. Unnecessary lapses and mistakes during an incident response are more easily avoided if members of the response team have practiced what to do. It is important that in-house attorneys participate in these exercises.
5. Once a playbook is established, get to know the relevant law enforcement officials before an incident occurs. If a collaborative relationship with the proper government agency can be established, your enterprise will have a much easier time handling potential civil or criminal actions from the government. If necessary, hire an outside forensic firm so that your enterprise can leverage that firm’s relationships.
6. One of the most critical components of cyber security is employee training. According to Security Scorecard CEO Aleksandr Yampolskiy, many breaches take place when employees on a company network carelessly open an attachment from an unknown source. This is a common back door into an enterprise’s network that is simple to lock up with employee security training on a regular basis. It is understood that one of the challenges with employee training sessions is getting everyone to listen and follow the lessons learned in training. One way to get employees to pay attention is to explain that these are also ways to secure their home computers and personal laptops.
7. Whenever entrusting third parties with your enterprise’s data, be sure to properly designate confidential or trade secrets information. Even more vital, set up agreements with the third party ensuring they will properly safeguard all personal information.