The Sony Breach "PR Car Crash" - are they alone?

The Sony "PR Car Crash" 

As reported on the Guardian website today, the Sony Breach Saga continues with further releases of private emails, leaked film plots and the list of embarrassing revelations goes on...  They certainly are getting "run through the mill" and no doubt it will be a hugely costly episode in Sony Pictures' life. In fact the journalist from the Guardian even goes as far as suggesting that they may never recover.

What a terrible situation for Sony - the brand, the company and for all the people implicated in this.  None of us is immune from data compromise - in fact most organisations are likely to be successfully hacked and compromised to some degree - even security businesses like ourselves and others who deal with this threat daily.

Defence, mitigation and survival in this online, everything-available-all-the-time-world comes down to how well prepared your business is:

• Security-wise. Have you been investing in protecting your customer data?  Or not?
• Education-wise. How well educated (on the threats of today) are your employees.  Are you sure?
• Management-wise. As an exec of your business, how seriously do you take security?
• Response-wise. How well prepared ais your organisation for when your defences are breached?

Of course this is a little simplistic, but the four points above are four areas that are certainly worth exploring/checking in your business to find out how well prepared your business is to defend itself.

Security-wise

Having worked in the payment card industry for the last decade, the different approaches we've seen can fall into several categories, but the two that we're focusing on here are:

1. Doing just enough to meet compliance objectives. Quite a few businesses in the early days of the Payment Card Industry Data Security Standard focused on just doing enough to satisfy compliance.  In fact quite a few would try to do a lot less.  There are various reasons/excuses why organisations would take this approach (budget, profitability, managment decree etc). These are the businesses that are termed "the low hanging fruit" in the industry.  They are the easiest companies for attackers to hack and extract cardholder data. 
2. Securing the customer data because it forms the lifeblood of the business.  Treating compliance requirements as the minimum level of security that would need to be in place to protect their customer data, these businesses are focused on their security, knowing that complaince will come as a by-product of that effort. Great to work with as they have understand the importance of protecting their customer data, their assets, these organisations are considerably harder to compromise.  Defence in depth, excellent security operation management, management and board-level support are a few of the attributes that are common in these types of organisation.  

Image by Alamy. 

Education-wise

How well do your staff understand data security and the threats to your business?  Our finding is that most orgaisations have a basic level of understanding of data security inherent in their workforce, such as don't write your password down.  Unfortunately very few do a great job of actively educating their staff.  A cyber-security strategy needs to incorporate the end-user as attackers will always look for a chink in an organisation's armour - identifying that weakest link is a lot easier when the organisation's staff are ignorant of the threats to the business.

Management-wise

Management buy-in is one of the most imporant parts of a cyber security strategy.  Ensuring that C-level executives understand the threats to the business (and usually their jobs) is essential in forming an effective cyber-security strategy - thinking budgets, headcount, technology, education etc.  A security manager without management buy-in can be likened to a boxer getting into the ring with one or both hands tied behind his/her back to fight a highly trained and experience opponent - and still being expected to win.  Its unlikely to work out...

Response-wise

Incident Readiness and Response Preparation.  Preparing for the attack and breach of defences is a crucial part of a cyber-security strategy and needs to be taken *very* seriously. We've seen all the headlines this year with all the big names being compromised (Home Depot, Bebe, UPS, Sony, Niemann Marcus, Dairy Queen and a lot more). Let us assure you that it is not only the big names getting hit - it is ALL manner of organisations.  And they are certainly not limited to the US (although with the disclosure laws in the US, we hear about them a lot more).  Our forensic business has had its busiest year yet, with our caseload more than doubling the previous busiest 12 months.  

We believe that every business should be preparing for the day that they have a breach - they need to know what they are going to do to manage the situation, how quickly they react will be critical in defending their business from further damage.

Incident Response Planning

Our experience in the forensic field has taught us that most hacked organisations do not have effective security in place. In addition, very few have even a basic Incident Response Plan in place. They all assume that it will not happen to them.  Unfortunately experience has shown that it does happen to them - and it could happen to your business too.

To assist you in building your Incident Response Plan, we have created a free Incident Response Planning Guide that outlines some of the key steps that an organisation needs to take to build an effective Incident Response Plan.