Lessons a small company can learn after the Sony Pictures’ cyber attack.

Last year we heard about the ordeal that Sony Pictures went through. Its systems were successfully attacked and penetrated by hackers. Lots of sensitive business-critical information was stolen. The attackers have been leaking terabytes of information to the Internet.

What if this happened to your company? Do you have systems and procedures in place to prevent this kind of attack? If your systems were breached, are you aware of the damage the leaked information could do to your business?

All these questions are frequently answered with a dismissal. Thinking that your company is not big enough to be a target of attack is to live in denial. As more and more business-critical information is posted to the web, companies must be aware of the security concerns involved.

Security is in a constant struggle with convenience. I’m pretty sure that Sony’s IT department was aware that certain parts of their infrastructure were vulnerable to attack. The problem is that sometimes business requires a certain level of convenience. We’re used to the constant flow of information. We write emails that could contain sensitive data without thinking about the consequences. We send unsecured spreadsheets and documents all over the web. We dismiss InfoSec requests to create and change secure passwords. All these factors chink any security implementation.

But what can a small company learn about Sony’s attack? I think we can analyze the situation and at least come out with a few important lessons:

  1. Every company is susceptible to be a target of a cyber attack. No matter how small or niche your company is, if you save business-critical information online, it can be attacked and stolen. You must be aware of this and carefully select what and when you save data on the cloud.
  2. The company should be aware of the consequences of an attack. What would the company lose if its systems were compromised? Will the company lose clients, revenue or reputation? Would your company be responsible of damage to third parties? Could we be legally liable of any such damages?
  3. Is the company’s staff educated in security procedures? Not every single employee needs to be a security expert. However every employee should be aware of the security implications of their work. They should at least have the common sense to ask if they’re in doubt. There should also be measures in place to prevent terminated employees from accessing the company’s data. Have you thought about the damage a disgruntled ex-employee can do? Many attacks come from the inside. It’s a mistake to focus on outside attacks and leave insiders with full access to data.
  4. Business leadership must understand and embrace security. The job of InfoSec should be to educate top management about risks. If the decision is made to disregard part of the risk as negligible, management should be aware of the consequences. These decisions should be made only after proper analysis and evaluation. Security shouldn’t be taken for granted.
  5. Understand the juggle between security and convenience. It’ll be easy to follow the paranoid route and ask for everything to be secured. This would create problems for the business. A 100 percent secure system won’t be a functional one. A careful analysis of the business requirements should be made in order to decide when convenience should be more important than security and viceversa. This analysis requires that IT and InfoSec work closely with the business. Proper understanding of business processes and strategy are very important. With this data IT can make suggestions that would facilitate the proper implementation of technology.

Based on these five points, how prepared is your company? Do you think security is a priority? Do you see a change in the way we do business now that cyber-warfare is here?