Sony’s Initial Decision to Give in to Terror Threats Has CEOs Up in Arms

The decision by Sony Pictures Entertainment to withdraw from release its buddy comedy movie, “The Interview,” over cybersecurity threats and hacking of company emails made public by a mysterious group calling itself the Guardians of Peace, has triggered much alarm by business leaders well beyond the entertainment industry.

At a recent New York gathering hosted by Yale’s CEO Institute, business leaders said that, while they fully appreciate Sony’s decision to withdraw the movie from release in theaters, they expressed dismay over Sony’s capitulating to threats. “I understand they are pressed by legal counsel to make the decision to withdraw the movie,” said one CEO, “but I am saddened that this represents a defeat for our first amendment rights to say what we want even if what we say is stupid.”

Such discussions tend to be conducted in a bloodless, high-minded environment. But when Sonnenfeld introduced the issue of cyber threats using the Sony Pictures incident, the tone quickly became heated with some CEOs interrupting others and many speakers manifesting alarm by what they see as a growing threat to business. Cybersecurity is no longer about losing customers’ credit card and social security numbers via a successful hack into a big-box retailer. One expert said that if the Pentagon has identified that 2,000 companies have been successfully hacked “that they know of,” how many companies have actually been penetrated that have not been discovered?

The FBI said evidence points to North Korea as the culprit behind a hacking of Sony Pictures that led the studio to pull the movie “The Interview” out of theaters. On Monday, Dec. 22, CNN released an interview with Sony CEO Michael Lynton in which he stated that it was the movie theaters that backed out, not Sony. Since then, Sony backpeddled and did release the movie on Christmas Day.

Addressing North Korea’s hack of Sony at his end-of-year news conference, which came out prior to the interview, President Obama said the movie studio erred in canceling the film. “We cannot have a society in which some dictator someplace can start imposing censorship here in the United States,” he said. Regarding North Korea, Obama said, “we will respond … in a place and time and manner that we choose.”

The Yale Summit, hosted by the Institute’s president, professor Jeffrey Sonnenfeld, is a bi-annual closed-door, off-the-record conference of leaders from finance, business, healthcare, technology and professional service companies.

The lesson CEOs have drawn from the Sony incident is that the bullying and blackmail is merely the opening salvo of a much more serious conflict. As one leader said, “ I am thankful that this threat was aimed at an incidental industry—entertainment—that affects practically no one directly. What happens when an aerospace company, a bank, or a major electric utility is successfully hacked and their systems are wiped out? Our economy and the general public could be seriously compromised.”

“Electric utility companies are much more vulnerable than, say, banks,” observes Tom Pettibone, CEO of  Reston, VA-based IT services firm Transition Partners. For example, many are still using Windows XP, which has a lot of holes where would-be attackers can readily penetrate. It’s one thing if a company’s email is hacked, it’s quite another when the company’s entire system goes down as it did with Sony,”  he says.

The global risk of cyberattacks is a real and growing threat, and could carry a whopping cost, according to a McKinsey & Company report on enterprise IT security implications. As a result, the price tag—the material effect of slowing the pace of technology and innovation due to a lack of cyber-resiliency—could be as high as $3 trillion by 2020, McKinsey says. The asymmetric effect of a small number of successful attackers, leading to tighter government restrictions, could mean that: “the world would capture less of the $10 trillion to $20 trillion available from big data, mobility and other innovations by 2020—the ultimate impact could be as much as $3 trillion in lost productivity and growth.”

Business’ vulnerability is by no means confined to large-cap companies. Many attacks involve mid-market and smaller businesses because their systems are less robust and typically more vulnerable. The effects can be devastating, leading to loss of livelihood and, in some cases, the entire business. A 2013 Verizon Data Breach Investigations Report found that 62% of breaches impacted smaller companies and that this number is likely undercounting the true volume, because it assumes organizations are fully aware when they are breached.

The vulnerability is accentuated by the “bring-your-own-device” era as employees access an increasing amount of a company’s business-critical applications from their personal mobile devices. Such devices sit outside the established security controls of most companies allowing cyber thieves easier access to data. Small business owners and operators understand that the impact of an embarrassing or costly data breach can mean much more—up to and including loss of livelihood or the entire business enterprise. The majority of attacks target small and medium-sized businesses because they are typically much more vulnerable than large enterprises, and the effects can be devastating.

McKinsey and the World Economic Forum conducted a survey in 2013 of 200 enterprises, tech vendors, and public sector agencies. Executives in the survey displayed “an emerging consensus” on what those models should be. Here are the seven cybersecurity best practices described in the report:

1.  Prioritize information assets based on business risks.
2.  Provide differentiated protection based on importance of assets.
3.  Deeply integrate security into the technology environment to drive scalability.
4.  Deploy active defenses to uncover attacks proactively.
5.  Test continuously to improve incident responses.
6.  Enlist frontline personnel to help understand the value of information assets.
7.  Integrate cyber-resistance into enterprise-wide risk-management and governance processes.

As we head into 2015, a cutting-edge cybersecurity strategy must be on the top of every CEO’s to-do list.

McKinsey: Risk and responsibility in a hyperconnected world: Implications for enterprises

World Economic Forum: Risk and Responsibility in a Hyperconnected World