If you’re reading this column (and I’m pretty sure you are), your job probably requires making hard decisions about security. Which is more important: employee usability or security? Cost savings or security? Working on the CEO’s pet project or boosting security?
Making the decision even harder, the people in your organization aren’t required to see the whole picture—just their part of it. Most employees don’t care about security. They just want everything to be easy as possible.
The bean counters don’t care about security. They just want everything to come in on budget.
The lawyers do care about security, but they don’t care how much it costs or how many scarce resources are diverted to achieve it.
The thing about security is that everything is fine until it isn’t fine. In other words, time and money spent on security feels like a waste of time and money when it succeeds, because successful security reduces security-related problems and therefore makes those problems seem nonthreatening.
Decisions about security are hard. But what you need to know is that the recent breach of Sony Pictures Entertainment should—in fact, it must—change everything you previously assumed about security.
A Brief Postmortem
On November 24th, Sony Pictures Entertainment got hacked. The hackers downloaded what is probably dozens of terabytes of data, including trade secrets, email and personnel records. Then they erased servers and PCs, including the boot records, making full recovery difficult or impossible.
The hacker group, which calls itself the GOP, or Guardians of Peace, released some of the stolen information to the public, and they have threatened to release more. That information includes extremely compromising and embarrassing information and conversations about staff, partners, Hollywood stars and even President Obama.
Sony Pictures is threatening journalists about using information stolen in the hack because it’s so damaging. But because the U.S. Constitution’s first amendment protects the press, Sony’s threats are empty. So the company has to stand by while the media pour over every word ever exchanged via company email, as well as every HR performance review and termination.
The hackers also appear to have released five films to the torrent sharing sites. They include Brad Pitt’s Fury and a remake of the musical Annie, essentially giving these products away for free before the company has the chance to bring them to market.
It’s unclear whether the hack was a state-sponsored retaliation by North Korea for a Seth Rogan and James Franco comedy called The Interview, which is set in North Korea. Either way, the hackers have threatened executives and employees of Sony Pictures if the movie is released. So Sony Pictures capitulated and canceled the release of the film, which had been scheduled for Christmas Day.
As a result of the cancellation, the Alamo Drafthouse movie theater in Dallas planned to screen Team America: World Police for free on December 27 instead of The Interview. (Team America is an outrageous comedy by the makers of South Park that mocks the North Korean leadership.)
Then Paramount canceled the rights for the theater to show Team America, out of apparent fear of retaliation by the hackers. And the production company New Regency canceled a planned film starring Steve Carell that would have been set in North Korea.
A Slow, Painful Recovery
Two separate lawsuits are taking Sony Pictures to court over the company’s failure to protect employees’ personal information.
Meanwhile, the damage caused by the erased computers forced Sony back to pen-and-paper for a few days. At press time, the company still hadn’t recovered. Had this been a different kind of business—one that, like most companies, needs to stay up and running every single week—the company would be bankrupt by now.
Long story short: The hack was catastrophic—literally the worst hack in corporate history. Even worse, it’s a harbinger of things to come for all corporations.
Such a hack probably would not have been possible just a few years ago. The darkest fact exposed by the Sony Pictures hack is that in the arms race between corporate security and hackers, the hackers are pulling ahead.
The Sony Pictures hack should change all our calculations about security. Specifically, the likelihood of serious breaches is going up, the damage they can cause is going up, and therefore the time, effort and money to be spent should also go up. More specifically, in the balancing act you have to do to weigh security against other considerations, security has to be the top priority.
In a 2007 magazine interview, Jason Spaltro, then the executive director of information security at Sony Pictures Entertainment, said he wouldn’t invest $10 million to avoid a possible $1 million loss. Now, a story in Reuters is estimating the damage at $100 million, and that is almost certainly a low-ball estimate.
It’s a tragic fact, but the Sony Pictures hack changes absolutely everything. We are now living in a post-Sony Pictures world. All our assumptions have to be revisited. All our tradeoffs have to be reconsidered.
The likelihood of a catastrophic attack on your company’s infrastructure and theft of your company’s data is going way up. And the price for failure is going way up, too.