By now, you've undoubtedly heard about the massive cyber attack on Sony Pictures Entertainment, which aired the business's dirty laundry in public (in the form of vulgar and racist emails) and exposed Social Security numbers for thousands of employees.
The attack led Sony to withdraw its upcoming Seth Rogan and James Franco movie The Interview. The consensus is that North Korean hackers carried out this attack, retaliating for the film's depiction of Kim Jong Un. More dangerous attacks against theaters showing the film was implied.
Controversy aside, this attack resembles many of the other data breaches we've seen this year. Cyber criminals found a way inside the network of a company that took its data security for granted.
For an IT professional, the most shocking thing might be how poorly prepared Sony was. Let's look at what your clients can learn from Sony's bad example.
What Losses Will Sony Pictures Entertainment Suffer from its Data Breach?
The Sony Pictures Entertainment hack provides a useful reminder that data breaches are often extremely messy. The hack exposed everything from embarrassing emails to private employee information that could lead to identity theft. Here's a breakdown of the consequences of the attack:
- 50,000 employee SSN's were exposed.
- A group of employees has filed lawsuits over lost private information.
- Scripts for upcoming movies were leaked, potentially lowering the company's future revenue.
- Sony was forced to cancel its release of The Interview, which was projected to gross up to $120 million, according to the Washington Post.
- The business suffered a severely damaged reputation after leaked emails showed executives insulting actors and directors they worked with.
The data breach also provides extensive evidence that Sony Picture's data security was weak. Leaked emails show Sony executives copying and pasting passwords into the bodies of emails.
With documented security lapses like this, it will be hard for Sony's lawyers to convince a judge that it wasn't negligent with its data security. Given that the company is already facing numerous lawsuits, we can expect that its legal expenses will be significant.
What Sony Could Have Done to Prevent a Data Breach?
An eSecurity Planet article points out that private data usually only accounts for 5 percent of a business's total data. A proper data security strategy starts with a business identifying the data that needs to be protected and building a strategy to secure it.
In this case, Sony pictures should have focused on protecting…
- Employee records (including SSNs and private information).
- Proprietary information about upcoming movies, including scripts, movie files, etc.
To protect this data, IT consultants should have made sure it was always stored in encrypted files. Executives who had access to it should have been required to use unique and complex passwords.
In addition to these security measures, Sony's IT department should have trained its employees – even its grumpy executives – on the proper data security practices. Though the details aren't known, numerous reports indicate that hackers were able to trick Sony employees into divulging their login information with simple phishing schemes.
Recommendations for Your Clients: Insurance for Data Breaches
We're not privy to Sony's risk management strategy, but the company could benefit by having Cyber Liability Insurance (also known as Data Breach Insurance), which is designed to pay for the cost of a data breach.
Cyber Insurance can cover the cost to…
- Contact employees and customers affected by the breach.
- Launch PR campaigns to repair a business's reputation.
- Hire IT professionals to investigate the cause of the attack.
Sony Pictures' hack demonstrates the costliness of a breach and the necessity of Data Breach Insurance. After a leak of confidential information, businesses have to limit the reputational and financial damage. If your clients are looking for extra reassurance against the cost of a data breach, suggest that they invest in Cyber Liability Insurance to cover their organization.