What CEOs Can Learn From the Sony Cyberattack

People Problems
Most breaches (some say 80 percent) come through the “people route,” employees, subcontractors, suppliers and anyone else who has authorized access. It’s the easiest way. The “people route” includes:

1. Negligence. Many penetrations occur through simple negligence—misplaced or stolen laptops and cellphones or due to leaving passwords in plain sight. A hacker may ask to borrow your phone for an “emergency call.” These are by far the easiest and quickest ways hackers penetrate security barriers and insert malware in company systems, creating hidden pathways for instant or later access. It takes only seconds.

“Weak company processes are another major area of vulnerability that hackers frequently exploit.”

2. Disgruntled Employees. A disgruntled employee might simply hand over his passwords or lend the hacker his phone for a few minutes. Some believe the Sony hackers had inside help because they said, “Sony doesn’t lock their doors physically, so we worked with other staff with similar interests to get in.”

3. The “Candy Drop.” The hacker provides free CDs or thumb drives to conference attendees. Ostensibly loaded with conference information, they are also infected with malware that the  conference attendee unknowingly loads onto his laptop and subsequently onto the company’s computers. Free CDs and thumb drives may also be passed out by third parties in company classrooms, social functions and even company gyms.

4. Phishing. The hacker sends enticing emails with a “click on this offer” invitation. Once opened, the hacker uploads malware to the computers, unbeknownst to the employee.

5. Greed. A cash-strapped employee sells his access information to a hacker. Employee and supplier awareness sessions and training are mandatory for people to understand the risks, the methods and their obligation and responsibility to protect company assets. They must be told the impact of failing to do so. Constant effort must be made to identify and resolve disgruntled-employee situations. Other people with access (contractors, suppliers, etc.) must be contractually bound to company security.

Process Issues
Weak company processes are another major area of vulnerability that hackers frequently exploit. These include:

1. Weak network access controls. While it is recognized that strong network security controls frustrate ease-of-use, weak security controls are easily penetrated and provide ready access to hackers. Restricted access, robust firewalls, segmented and secure networks and applications, and diligent network traffic monitoring are the minimum measures companies should have in place to reduce risk.