Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Lessons from the Sony breach in risk management and business resiliency

Adam Meyer, Chief Security Strategist, SurfWatch Labs, a cyber risk intelligence company | Jan. 12, 2015
The recent Sony attack and countless other examples point to the need for board members and executives to consider cybersecurity under the concept of risk management and business resilience.

Targets: Employee data, IP, documents and email

While financial breaches and stolen payment card data dominate the news, most organizations have a plethora of other data cybercriminals want. In the case of Sony, employees had their personal information stolen, including banking information, passport and Social Security numbers and medical records. Intellectual property was also compromised, including several unreleased movies, scripts and television programs. Company documents were also apparently stolen, including thousands of passwords to various services and large amounts of email.

It's worth noting that theft of non-public data, even if it's not highly confidential, can lead to problems. In Sony's case, the leaked internal email led to reputation damage and other potential complications for future projects.

Situational Indicators:

  • Cybercriminals and hacktivists will often sell stolen data on the underground or leak it via social media
  • Court cases continue to define the extent of protections like cyber insurance around data that is stolen and/or leaked


  • Stay attuned to the threat landscape and what data is being targeted at organizations similar to yours
  • Don't store excess data
  • Classify all of your data and understand the level of protection required by both the law and your organization's risk tolerance
  • Understand that less protected data like email may be targeted and used to damage an organization's brand
  • Train employees on the levels of protection around various data types so they don't accidentally expose critical data in an unsafe way

Key Lessons for the Risk Executive:Classify major systems of record that, if breached, could cause a large amount of digital harm to your organization, such as systems that house personal information, health records, credit card numbers and intellectual property, and pre-plan Incident and breach response actions.

Effects: Data stolen/leaked, downtime, financial Loss

The effects from the Sony breach impacted everyone, from executives to employees. Confidential information was leaked online and several Sony employees are now suing the company as a result of the breach. Since news of the attack, Sony's stock prices has also dropped dramatically.

Situational Indicators:

  • Spike in data read volume
  • Suspicious system file changes
  • Unusual authentication and network traffic


  • Monitor activity to catch spikes or abnormalities
  • Control access by having increased controls like two-factor authentication on important data and services
  • Encrypt data to protect it even after it is stolen
  • Backup all important data

Key lessons for the Risk Executive:Ensure you have both an Incident Response (IRP) Plan as well as a Breach Response Plan (BRP) and they should be separate and distinct. Stages of transition from IR to BR should have identifiable decisions points contained within by role and level of authority. In many cases, organizations are introducing more liability to the organization by their actions post-breach in addition to harm caused by the breach itself.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.