Sony Entertainment Inc. is a global entertainment company established in 2012. It focuses on Sony’s motion picture, television, and music businesses. In 2014, distinctively, this multinational corporation faced a huge cyber attack that exposed numerous personal information about their employees and clients. This incident was triggered due to the film, The Interview, which was about the assassination of Kim Jung Un, the North Korean leader. Even though North Korea openly denied involvement, they called this attack a “righteous deed”. This report will then further expand the effects of this attack on Sony Entertainment, look at the solution that the company implemented after the attack, and the benefits and gains that the company received from this solution. Furthermore, this article will also examine SPE business strategies through SWOT analysis for the Sony Corporation as a whole.
Company Analysis
Company History/Background
Sony Pictures Entertainment (SPE) is a world leader in movie and television production, development and distribution. It was founded in 1987 in Culver City, California. SPE is the television and film production/distribution unit of Sony, which is a Japanese multinational conglomerate corporation diversifying businesses in consumer electronics, gaming, entertainment and financial services. SPE was ranked third among all the movie studios with 12.5% box office market share in 2011.
Sony entered the television and film production market when it required Columbia Pictures Entertainment in 1989 for $7.2 billion USD. The production company has produced many famous movies such as the “Spider-Man” series and “Men in Black” series.
Problem/Issue with the Company from Management Information Systems Perspective
On November 24, 2014, a hacking group named “Guardians of Peace”, or GOP, successfully attacked Sony Pictures Entertainment, gaining access to first, personally identifiable information to 47,000 current and former employees and their dependents, second, numerous sensitive emails among top SPE executives concerning actors, financial deals, creative disagreements, executive salaries and complete copies of unreleased sony films, and third, names, addresses, SSNs, driver’s license information, credit card information used for corporate travel and expenses, usernames and passwords and compensation information. The hackers claimed to have stolen over 100 terabytes of data. GOP initially stated they would release the most damaging information over the Internet, which included copies of SPE films that had been released or were yet to be released and they announced they would continue to release more interesting SPE information. Then on November 27, 2014, GOP released five Sony films, including four that had yet to be officially released, onto online file-sharing hubs. Within a week, Brad Pitt’s Fury, which was already in theaters at that time, was illegally downloaded more than 1 million times (Robb, 2014).
The reason of this attack is thought to be related with SPE’s film in 2014, “The Interview”. The film is mainly about an interview team was invited by North Korea’s leader, Kim Jong Un, to interview him in North Korea and eventually assassinated him with the instructions of CIA. Prior to the attack, North Korean officials expressed concerns about the film to the United Nations, stating that the distribution of such a film on the assassination of the head of a sovereign state should be regarded as “the most undisguised sponsoring of terrorism as well as an act of war”. On December 16th, 2014, GOP explicitly stated the film’s name and further threatened to take terrorist actions against the film’s New York City premiere at Sunshine Cinema on December 18th. They additionally threatened the same action on the American-wide release date of the film. On December 18th, two messages allegedly from the GOP appeared. The messages included how GOP would not release any further information if SPE agreed not to release the movie and remove it from the Internet completely and that SPE had “suffered enough” and could release the film only if Kim Jong Un’s death scene wasn’t “too happy”.
Following the attack, everything was “off the grid” essentially; SPE resulted back to using fax machines, paper checks, posted messages, etc. The main response from Law Enforcement was the launching of an FBI investigation. In 2014, they announced that the FBI had connected the attack to the North Korean government based off of intel on intelligence gathered during a 2010 US hack of North Korea’s networks. North Korea denied all the responsibilities for the hack. Even though North Korea was a main suspect, the FBI also investigated alternative scenarios including the possibility that a current or former SPE employee was involved.
Sony’s response to the hack consisted of them shutting down their entire network on November 25th, 2014. They pulled the theatrical release of The Interview on December 17th. Two days after that, President Obama named the attack “cybervandalism” and denied that it was an act of war. He also stated that SPE’s decision to pull the film was a mistake because they were essentially giving into the hackers’ demands. Following threats were made to various movie theater chain including Carmike Cinemas, Bow Tie Cinemas, Regal Entertainment Group, AMC Theaters, and Cinemark Theaters resulting in them announcing that they would not screen the film. On December 23rd, 2014, SPE decided to authorize 300 largely independent theaters to show the movie on Christmas Day. After that, SPE released the film on Google Play, Xbox Video, and Youtube. SPE felt that they needed to defend their decision to pull the theatrical release of the film in the first place. They claimed to be the “blameless victim”. They felt that the attackers, coming from a foreign government, had more resources to attack compared to the resources Sony had to defend themselves. The studio concluded that they felt the attack was unstoppable and even the FBI and security company, FireEye, acknowledged that the malicious software used in the hack was “undetectable by industry standard antivirus software”.
Even though the software was difficult to be detected, Sony definitely failed to employ basic information security countermeasures. For example, the company’s email retention policy left up to seven years of old, encrypted messages on the company servers. Additionally, Sony used email for long-term storage of business records, contracts, and documents it saved in case of a litigation. Finally, all of their sensitive information, including usernames and passwords for IT administrators, was stored on encrypted spreadsheets and Word files titled various names such as “Computer Passwords”.
Information Technology Solution for the Company
Since the attack, Sony has implemented a “secure rebuild” information security strategy or information technology solution for the company. The first part of the plan would be to plant the fundamental idea of having zero trust. Their objective with the new strategy is to keep attackers from entering company’s networks to prevent them from accessing information. If an attacker were to get in, they would block them accessing the information and if they happen to access the information, they would block them from being able to steal the information. Here are a few specifics that Sony lists out: internet access will be tightly restricted, Sony will keep as little information as possible on its active network, which the remainder will be sorted securely, encrypted, and cut off from the Internet, emails will be archived after a few weeks and system administrators will have access to only areas that they need access to for their job, employees will be able to install only pre-approved applications, all users must use the two-step login (multifactor authentication) procedure, and firewalls will be placed on their most restrictive settings.
SWOT Case Analysis
Since Sony Pictures Entertainment is a unit of Sony, a SWOT analysis was done on the company as a whole:
Strengths:
One of Sony’s biggest strengths is the diversity in their products. Sony Corporation not only owns Sony Pictures Entertainment, but also has a consumer electronics, smartphones, games, music, and financial services. In 2016, only 11.6% of the groups revenue comes from it’s pictures division (Sony Corporation, 2017). Showing that if revenue in one division goes down, they have the other divisions to lean back on. Sony also has consumers in a diverse range of places, only 21.4% from the US (Sony Corporation, 2017). Having such diversity in both products and geographically is a big strength in minimizing it’s threat from other similar companies.
In Sony’s End of Year 2017 SEC financial statements, they show their focus on R&D. The total amount of money spent on research and development has decreased from 468.2 yen in 2016 to 447.5 yen in 2017 (Sony Corporation, 2017). Although this seems like a large decrease, most of it came out of the mobile communications division, with some of the other divisions receiving increases in money spent on research and development. Since they are in such a innovative market with many other competitors, research and development is very important. They need to stay on top of new technology and ideas. Since they have many diverse products/areas, there is also a lot of room to switch between which programs/divisions should be alloted the most funds towards research and development.
Sony has a huge focus on sustainability, in both their products and their corporate life. In 2015, Sony founded a new initiative called “Green Management 2020” in which they will reduce annual energy consumption be 30%, calling on their manufacturers and suppliers to reduce their carbon footprint, and use more renewable energy (Sony Corporation, 2017). Through these programs, Sony will be able to not only help the environment, but these initiatives could also lead to their customers having a better image of the brand.
Weakness:
Due to the company’s headquarters being in Japan, a lot of the manufacturing takes place there as well. Since Sony has such a large customer base. Out of the products manufactured in Japan, 86% were to be shipped to other places (Sony Corporation SWOT Analysis, 2017). This is inefficient because of the labor and equipment needed to ship the products to their desired place. There is also a risk in producing a good in one place, as the good is then dependent on the success of the place it is produced.
Another concern for Sony is their weak management system. In 2011, Sony was reported to have suffered a mastic breath in its video games online network that led to the theft of names, addresses, and possible credit card data which affected 24.5 million users (Sanchez, 2015). Yet, Sony took over a week to alert users that their personal details maybe have been stolen. Later on, a Purdue University professor testified that Sony had failed to use firewalls to protect its networks and sued Sony (Sanchez, 2015). However, Sony declined to appear before the hearing and instead released a statement that they had prompted the company to strengthen security across all of its products (Sanchez, 2015). Despite this statement, in 2014, another major cyber attack occurred. This has shown that Sony has a weakness when it comes to the management team as the executives failed to take proactive responsibility for the security breach, which resulted in current and former employees’ personal information being leaked.
Opportunities:
Sony has immense opportunities, since a lot of their products are centered around technology. Technology is always changing and new products are constantly being developed. Sony has the opportunity to capitalize on these new technologies.
Since Sony already have a huge product diversification, the company can further expand their products in those product lines and explore opportunities in related industries. For instance, people are gradually adding more values toward home entertainment and gaming industry. Moreover, the popularity of record music and digital streaming has also increased significantly over the past few years. As the industry leader in entertainment and electronics, Sony can take advantage of this and try to innovate and deliver value-added content to support and integrate its product line. Additionally, Sony is a multinational corporation and this give the company a competitive edge in the globalized world by being able to reach the market of all across the globe.
Threats:
Film and television is an increasingly competitive market. They must compete with other movie studios in order to get rights for scripts and the best actors, writers, producers, etc. With the increasing audiences on platforms such as Netflix and Amazon Video, the world of movie production has changed.
With the increased use of the internet comes an increased possibility of forfeited products, especially in the pictures department. It is very easy to record a movie and upload it to the internet. These illegal copies of movies can then be seen by customers at a free or cheaper price. Since customers can receive the products they want for a cheaper price, this cuts down on the available profit for Sony.
Benefits/Gains from the Solution
Post the attack, on December 22, 2014, North Korea experienced Internet failure and their government blamed the US saying the disruptions were an attack in retaliation for the SPE hack. The US government denied any role in the disruptions. After the attack, there were many repercussions for Sony and the US government as well. Sony’s analysts estimated that the cost of the attack could exceed $150 million, which included business disruption, loss of information and revenue, decreased customer confidence, and more. Yet the damage to the SPE reputation was incalculable. Many employees also sued SPE for not being able to protect their personal information. Because of this, SPE offered one year of free credit monitoring and fraud protection to current and former employees. In July 2015, there were a total of seven cases that were consolidated into a proposed class action lawsuit in the LA federal court. In October 2015, Sony agreed to pay up to $10,000 to each claimant for identity theft losses and up to $1,000 each to cover the cost of credit-fraud protection services in connection with the cyber attack. The total settlement was expected to cost Sony $8 million. As for the US government and their repercussions, the US military has responsibility to help protect and defend the nation’s critical infrastructure, such as power grids, banking systems, and communications networks, but entertainment companies are not a part of that infrastructure. Therefore, two questions are asked to the US government. If a foreign government is attacking US corporations, what is the federal government’s responsibility? If the US government had known of impending cyber attack on SPE, why didn’t the government warn SPE?
Overall, there were several repercussions following the hack and because of this whole experience, Sony and the world essentially learned three lessons. First, if you are connected to the Internet, your information is simply not safe. Second, no one should commit anything on email that he or she would not want to see on the front page of a newspaper. Third, the likelihood of serious breaches is increasing and the damages that they breaches can cause is also increasing. Therefore, time, effort, and money that the organizations spend on information security needs to increase as well. Because of the hack, Sony was able to get a “wake-up call” and finally resolve their major flaws within their information security. This lead to many solutions that will prevent anything like this from every happening again and that is the main benefit or gain from the new information security protocols or solutions.
Questions Answered
1) Was Sony’s response to the breach adequate? Why or why not?
While the attack that occurred might have been advanced, Sony’s response to the breach was inadequate. First, Sony failed to spot the breach beforehand. Sony’s attackers were able to access the company’s network for some period of time prior to the attack (Schwartz, 2014). Even though it is unclear as to how long the breach lasted, Sony didn’t appear to have detected the intrusion until attackers’ malware had already exfiltrated large amounts of Sony data. Moreover, Sony first response to GOP’s demand by pulling the plug on “The Interview” was a wrong move as there were no credible threat being made. Then when GOP started leaking stolen content, Sony hired a high-profile attorney and threatened to sue media outlets, the messengers in this attack (Schwartz, 2014). The final reason why Sony response was deficient is because Sony executives failed to take proactive responsibility for the security breach. In both 2011 hacking case and this attack, the executives defends their decision as being the blameless victims and failed to provide basic countermeasures.
2) Should the U.S. government help private organizations that are attacked (or allegedly attacked) by foreign governments? Why or why not?
The U.S. government should help private organizations that are (allegedly) attacked by foreign governments because, in the past few years, there has been an increase in the rate and the severity of cyber attacks on U.S. companies. For instance, just in 2014 alone, Target, JPMorgan, Michaels, UPS, and many more were hacked and lost numerous confidential customer credit card information. Then in 2015, Cravath Swaine & Moore and Weil Gotshal & Manges were hacked by Chinese hackers and lost $4 million trading information (Roberts, 2017). In 2016, Bangladesh Central Bank was hacked by North Korean hackers who reportedly exploited weaknesses in the SWIFT payment system to steal $81 million (Roberts, 2017). Despite being hacked, these companies couldn’t do anything expect to upgrade their security measures which are hackable and does not discourage hackers. Therefore, with the past records of numerous instances where companies being hacked by foreign companies and the ever-changing risks in the cyber environment, the U.S. government needs to do more to support the private sector so that it will discourage any ill hacking behaviors. Moreover, especially if foreign governments are involved behind these hacks, the private organizations are even more invulnerable and they don’t have any power to go against the country or do anything about it. Therefore, U.S. government should establish sound cybersecurity measures for the private companies while not creating regulations that hinder businesses.
Conclude/Recommendations
On a final note, in February 2016, cybersecurity companies Kaspersky and Alienvault announced that they had found new evidence linking the SPE attack with ongoing malware attacks directed at South Korea. They didn’t disclose specifically where the attack originated, but they said evidence point to a group operating out of North Korea. As for recommendations, Sony definitely learned that in order to keep up with the overall advancing of technology they need to stay on their toes regarding information security. It has been and will only become easier to perform computer hacks and the skills necessary to perform then are decreasing. Sony needs to continuously update, modify, and implement technology and information security measures if they want to prevent another catastrophic event like this one from ever occurring again.
