Sony Cyber Attack: A Case Study in Cyber Leadership Failure
Cyber Leadership Only Gets Attention AFTER THE ATTACK
I am the first to admit that protecting your company against cyber attacks and the resulting data breach is a daunting task. There are thousands of moving parts connecting your systems, people, customer/employee data and the Internet. Most companies that are breached (e.g., Target, Home Depot, Staples, Chase Bank) take more steps than the average business to protect their customer data. But just taking more steps isn’t always enough; you have to take the right steps.
The recent Sony “Interview” Cyber Attack, in contrast, shows a blatant disregard of basic cyber leadership principals, making it a perfect case study for what you should NOT do as an executive protecting the data on which your business runs. Let’s go back a step. Sony Corporation suffered a crippling cyber security attack (supposedly from North Korea at the hands of a group calling themselves the Guardians of Peace) because of the controversial nature of its movie, The Interview, which depicts the attempted assassination of it’s leader, Kim Jong-un. The consequences of the hack will number in the hundreds, the costs in the hundreds of millions.
Immediate Consequences of the Sony Cyber Attack
- Sony forced to cancel the 12/25 release of “The Interview” and then suffers massive negative PR for giving in to the cyber criminals
- Sony’s entire network was shut down for the better part of the week, meaning no one could really work (that had to be costly)
- Hackers spoil the release of five upcoming Sony movies by leaking them early including Brad Pitt’s Fury and Annie
- Hackers release pre-bonus salaries of Sony’s Top 17 Executives and 6,000 employees
- Hackers expose passport and visa PDFs of cast and crew members, including Angelina Jolie and Jonah Hill
- Hackers divulge 25-page list of employee workplace complaints
- Hackers share 30,000 Deloitte consultant salaries, and medical information on a number of Sony employees
- Sony’s former employees file three early class-action lawsuits against Sony because of negligent handling of employee data
- A trove of embarrassing emails between Sony execs and various recipients expose C-Level racial bias
- In an embarrassing email, Sony executives out Angelina Jolie as a “spoiled brat”
- After being reprimanded by President Obama, Sony decides to release “The Interview” (after suffering millions in losses)
Cyber Leadership Lessons of the Sony Cyber Attack
Your organization can learn from the Sony Attack in a way that helps you avoid their costly fate. But you must communicate these lessons to your team:
- Leverage the Hack. As you might recall, this isn’t the first high-profile hack at Sony. The Sony Playstation Network was attacked and 77 million records were compromised with an early price tag set at over $1 Billion. After their first major data breach, most companies get dead serious about protecting their information assets. Sony apparently did not. Good companies get hacked all the time (yes, yours will too), but wise companies leverage the pain of that first attack to motivate change and minimize the impact of subsequent attacks. If you are the average organization the we work with here at The Sileo Group, you are likely taking only a fraction of the steps you should be prior to an embarrassing cyber attack. As a rule of thumb, you throw a small technology budget at cyber security so that you feel better, but do little to train the humans that are ultimately responsible for getting that technology to work. I can live with that, because it seems to be part of business DNA to ignore a problem until it’s tangible. But to continue to ignore data security after your first wakeup call is arrogant, costly and a sure sign of an ineffective leader.
- Start with Executive Ownership. The root of corporate culture begins at the top. As executives behave, so will the employees beneath them. Sony CEO Michael Lynton routinely received copies of his usernames and passwords in unsecured emails for his and his family’s mail, banking, travel and shopping accounts, from his executive assistant, David Diamond. If the CEO of the company doesn’t practice good password habits, safe email procedures and basic cyber-security protocols, he or she CANNOT EXPECT the rest of the company to do so. When we see companies with executives and managers that don’t follow internal security guidelines, we know that we are dealing with an unhealthy culture weakened by hypocrisy, denial and lack of ownership. Before security will work, you MUST CHANGE THE UNDERLYING CULTURE. You’ll know the culture has changed when your executives think about what they write in emails before sending them (or at minimum they securely encrypt any emails with racist, sexist or otherwise abhorrent opinions).
- Pick the Low-Hanging Fruit First. Companies often spend voraciously on firewalls and anti-virus, threat-detection software and encryption, but forget to solve the simple problems first. They spend because it feels good, even if it’s ineffective. For example, some of the Sony files breached by the Guardians of Peace had filenames like “Passwords” (you guessed it, they contained company passwords). The attackers were able to obtain such information as movie-star e-mails, confidential mega-deals, payroll information, released and unreleased films, employee medical records, Social Security numbers, photocopies of U.S. passports and driver’s licenses, attachments with banking statements and even aliases actors use when checking into hotels. Security is a bit like picking fruit – some fixes are instant, inexpensive and low-hanging. Just because they are EASY doesn’t make them LESS IMPORTANT. Why import avocados from overseas when you have some hanging in your own back yard? Running a simple system-wide file search on words like “password”, “financials”, “confidential” and a handful of critical terms is the most basic of procedures. Training employees on good password habits (and then holding them accountable), is easy and inexpensive, especially if you make the training entertaining and therefore memorable. Other low hanging fruit: Making regular backups that allow you to recover hacker-sabotaged data; Strong, constantly-updated anti-virus software and OS patches; Default-deny firewalls; Spam malware filtration; secure Wi-Fi networks; protected mobile devices…
- Don’t make unflattering movies about unstable dictators unless you’re prepared to be the poster-child of 1st Amendment rights.
As former Defense Secretary Leon Panetta predicted in a speech in October 2012, it would take a cyber “Pearl Harbor”—a power-grid collapse, poisoned municipal water supply, loss of lives—to make Americans appreciate computer vulnerability. Let’s hope that Sony’s casebook example of Cyber Leadership Failure will at least wake up your company, thereby preventing a cyber “Pearl Harbor” in your organization.
John Sileo delivers keynote speeches designed to make security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact The Sileo Group directly on 800.258.8076.