Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Lessons from the Sony breach in risk management and business resiliency

Adam Meyer, Chief Security Strategist, SurfWatch Labs, a cyber risk intelligence company | Jan. 12, 2015
The recent Sony attack and countless other examples point to the need for board members and executives to consider cybersecurity under the concept of risk management and business resilience.

2014 made it clear that cybercrime affects everyone. From retailers to banks, consumer goods companies and health care, there isn't an industry left untouched by cybercriminals looking to disrupt, steal or embarrass. So what has to change? The recent Sony attack and countless other examples point to the need for board members and executives to consider cybersecurity under the concept of risk management and business resilience.

After all, when it comes to business resilience, most cybersecurity practitioners traditionally think of continuity or disaster recovery. However, in today's online world the term "availability" does not just apply to systems with an IT function. It also applies to the people, processes and technology that drive brand equity. In short, business resiliency is an organization's ability to recognize and weather a cyber storm, to be in a position to reduce the organization's exposure to harm and, most importantly, to quickly pivot when necessary.

The legal and liability landscape is also shifting to a business resilience state of operation as more members of the board, risk committees and risk executives are becoming accountable for business resilience — either through regulatory efforts or litigation with consumers, shareholders, regulators and business partners after a breach.

Regulators and insurers don't expect companies to be immune to risk, but due diligence and due care is expected to mitigate cyber risks, which requires complete context around the risks they face. This includes high level understanding of who may target you (Actor), what they are after (Target), any consequences if they succeed (Effect), and how they would commit the cybercrime (Practice). Let's illustrate those elements using the Sony attack:

Actor: Hacktivism' with Nation-State sponsorship

Groups like the Guardians of the Peace (GOP) and the Syrian Electronic Army represent an interesting new trend: hacktivism with nation-state sponsorship. These groups use many tactics typical of hacktivists (data leaks, website defacement, etc.) but are directly and/or indirectly supported by a nation state. In Sony's case, it looks like GOP (and whomever is ultimately responsible) used malware, data destruction and data leaks to disrupt and destroy.

While response actions made by Sony are not fully disclosed, examples of indicators and countermeasures companies in a similar situation could have considered include:

Situational Indicators:

  • Increased discussion and/or threats of attacks on social media or underground channels
  • Attempts to launch distributed denial-of-service attacks
  • Defacement of the public facing websites
  • Threats or actions that expose and organizations' stolen information

Countermeasures:

  • Increase situational awareness of geopolitical and social impacts of an organization's actions
  • Know what assets within an organization have the potential to trigger a negative response from a hacktivist or nation-state actor
  • Understand and pre-plan for cyber, brand and public relations consequences
  • Deploy anti-phishing technologies

Key Lessons for the Risk Executive: Broaden the sphere of knowledge to the risk landscape beyond what has traditionally been an IT-based discipline. Too often organizations fall into the trap of looking at only the bits and bytes, but it is critical to understand who is attacking you and why. Remember, cyber-attacks are conducted by humans who are driven by a desire to have your data. Monitor social media accounts or statements of groups that may pose a threat. Take extortion threats seriously. The malicious actor who breached Sony is said to have sent executives an email three days prior to the initial leaks.

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.