The recent Sony breach is yet another indication of the need for organizations to take security seriously.  Business executives keep relying on incomplete risk management solutions, and these are not working.  They never worked, and this year’s breaches make this all the more obvious.  Don’t you think?

 

Hackers are working hard and succeeding in their attempt to get into your networks and take your sensitive data.  What can security pros and executives learn from the Sony breach to avoid this scenario for their business?

 

The way an organization handles information is important.  Are you checking your network vulnerabilities?  What tools and processes are you implementing to know if vulnerability is present in your system?  Do you know if your data center provider is taking the necessary steps to secure your sensitive information?  Remember, it doesn’t stop at compliance.

 

Data is valuable.  Not only does it consist of your own personal data, but it is also the data of your employees and customers.  Don’t you want them to be safe from data theft and potential burdensome costs that can come from identity theft and fraud?  Also, if you’ve been following the Sony hack, you will have noticed that data can and will be held as ransom; leading to even bigger problems for businesses and a nation at large.

 

Physical security is just as important as network security.  Are you securing your infrastructure and managing your processes properly?  How easy is it for someone to access your servers?  Do you have specific permissions for who can access sensitive data?  Are you revising the processes you have in place as technology changes and risks adapt to those changes?  Just consider the IoT boom and the vulnerabilities that go undetected periods of time before being discovered (like POODLE or Heartbleed).

 

Weak systems and network configurations, not software vulnerabilities, allowed this attack to take hundreds of gigabytes of data for days.  This is something no business should allow to happen.  You need to have a system in place that will recognize data exfiltration activity.  No matter how secure you think your network is, if you don’t have eyes on your data activity you won’t be able to know what’s going on. This delays you from uncovering intrusion and allows your attacker to take more data, increasing the damages your business will face.

 

Ultimately, CEOs need to get the fundamentals of security right.  This means implementing a holistic posture with strong authentication measures, continuous monitoring with an effective alert system when it comes to suspicious data activity, the necessary professional expertise at hand, and open communication between the board of directors and the CIO.

 

2014 has seen its share of mega breaches: Target, CHS, and now Sony (just to name a few).  Although it’s true that you will always be vulnerable to breach, the reality is organizations haven’t been doing enough to secure their data.  Is privacy and security just overrated?  If you care about privacy, make sure your users and clients are in a safer place in 2015.

 
What was your biggest security takeaway from the Sony hack?

 

Photo courtesy of Maksim Kabakou