A closer look at what happened to Sony suggests that the nature of the recent cyber breach was more serious than first thought. As the story continues to unfold, we may find out that the North Koreans are not the true hackers. However, regardless of the origin of the perpetrators, it is clear that the incident should serve as a wake-up call for board members and CEOs.
In a recent attempt to survey 580 CEOs about security, we received a response rate of less than 1 percent. Today, thanks to the impact of Sony’s cyber attack, we believe that number would be much higher.
While Sony’s breach spawned the broadcast of an embarrassing amount of sensitive data, it also shut down the company’s computers and put the company in limbo for several days. Sony tried to continue with manual systems but simply couldn’t keep up. Even worse, it was unable to pay actors, suppliers and employees. Sony had to suspend operations until the company could rebuild the computer systems and networks.
Known as “Destover,” this class of malicious software (“malware”) is dangerous because it disrupts computer and company operations by first copying data and then erasing the “Master Boot Record,” disabling the computer storage. Similar disruptions occurred in 2012 at Saudi Aramco, where 30,000 terminals were shut down by the Shamoon virus, and in Iran in 2009, where the Stuxnet worm destroyed a thousand centrifuges.
To create further damage, the hackers posted online several unreleased films that undoubtedly cost millions in production expenses. Plus, they exposed thousands of sensitive and embarrassing emails, movie scripts, HR data, salaries, legal reports, passwords and the personal information of hundreds of employees and actors.
The Sony experience comes on the heels of a recent breach at JPMorgan. In June 2014, hackers stole an employee’s password and deposited malware on the company’s servers. Over several months, they eluded the company’s sophisticated alarms by extracting a huge amount of data very slowly.
While one cannot address all security risks, there are things CEOs can do to mitigate the risk of a breach. The answer lies in analyzing all areas of vulnerability and consciously deciding what to protect—and to what degree.
Cyberattacks come from hackers who breach company firewalls and security systems, stealing data and/or disabling the computers. Some believe that hackers are stopped by robust firewalls and sophisticated detection software, but that is only a part of the solution. Hackers gain easy access through three pathways—people, processes and systems.