[Corrected, see below] The Sony saga continues. Last week, the FBI said there is enough information to conclude that the North Korean government is responsible for the Sony cyberattack. Now some are beginning to wonder how the U.S. should retaliate. Surely, new developments will continue to unfold, but our focus remains on what this breach means for other corporations, and how data breaches may be prevented in the future.
In many ways, what happened to Sony isn’t new. Companies have long dealt with hackers who break into computer networks and steal trade secrets and/or customer’s financial data. What made the Sony hack different was the many terabytes of data which were siphoned out… without anyone noticing. It also took the consequences of a cyberattack to a whole new level, with Sony cancelling the Christmas premiere of “The Interview.” [A previous version of this paragraph said “millions of terabytes,” but that has been corrected—Eds.]
Some experts have said that the Sony hack was unprecedented, and it would have been impossible to prevent. We agree, but only to an extent. It is now widely accepted in IT security circles that network and system breaches (the bad guys getting in) are inevitable—there is no silver bullet solution, and there aren’t enough dollars in any IT budget to address every single security vulnerability in their network. But just because the bad guys are getting through the door, doesn’t mean they can or should be able to walk out with the crown jewels.
CEOs should be asking themselves, “If Sony could have prevented hackers from stealing movies, scripts, and personal e-mails, would it still be the disaster that it is now?” The answer is “No.” Companies absolutely can protect sensitive information and prevent it from being stolen. There are proven solutions on the market that specifically address data loss prevention which requires you to: classify the data, put in a data usage policy, and strictly enforce it. These solutions simply haven’t been adopted as widely as network-based solutions because they are harder to implement and touch employees directly; thus, some employees will complain. But we all need to get over it.
This is the reality of the hacking environment in which we live and conduct business. Companies need to completely rethink the way they approach security. If we make it even fractionally harder to steal sensitive data—or render the data useless once outside the network, the hackers will move on to an easier target.
The only way to ensure that when the bad guys get in, your sensitive data does NOT get out, is to implement a security strategy that does two things:
1. End the overt focus on protecting the network only. Almost 100 percent of global enterprises and government agencies have security programs that start and end “on the network.” Why? Because it’s easier—racking a device on the network causes very little organizational friction. Yet we purposely plug holes in the network every day to conduct business, and these holes will mean the network will always be vulnerable to attackers.
2. Protect the data. The industry speaks of the inevitability of hacks. But we must realize even if that is true, data extraction is absolutely not inevitable. For several years some vendors have been enhancing and strengthening their data loss prevention products. They, in some cases, are far better than the earlier versions. The problem is that most data loss prevention products purchased are also network based, which leads to many of the same problems network security products have. Data protection needs to live where the data is; on the server, on the laptop/desktop, in the cloud, etc. Data loss prevention for the endpoint is the single most effective solution to data breaches, yet it is deployed in a fraction of corporations.
You don’t need to start with a massive classification project covering every piece of data in your organization. Instead, think like an attacker to identify the data most attractive to an adversary. Sony just took a bullet for all of us. They’ve given us a theme for 2015: it’s all about the data. The concept is so simple and so seemingly obvious. But, alas, it’s not obvious enough, and that’s why Sony is staring at its worst moment as a company.
Will the company recover? Absolutely. In fact, we believe it will thrive. But all companies large and small should consider this their wake-up call.