Targets: Employee data, IP, documents and email
While financial breaches and stolen payment card data dominate the news, most organizations have a plethora of other data cybercriminals want. In the case of Sony, employees had their personal information stolen, including banking information, passport and Social Security numbers and medical records. Intellectual property was also compromised, including several unreleased movies, scripts and television programs. Company documents were also apparently stolen, including thousands of passwords to various services and large amounts of email.
It's worth noting that theft of non-public data, even if it's not highly confidential, can lead to problems. In Sony's case, the leaked internal email led to reputation damage and other potential complications for future projects.
- Cybercriminals and hacktivists will often sell stolen data on the underground or leak it via social media
- Court cases continue to define the extent of protections like cyber insurance around data that is stolen and/or leaked
- Stay attuned to the threat landscape and what data is being targeted at organizations similar to yours
- Don't store excess data
- Classify all of your data and understand the level of protection required by both the law and your organization's risk tolerance
- Understand that less protected data like email may be targeted and used to damage an organization's brand
- Train employees on the levels of protection around various data types so they don't accidentally expose critical data in an unsafe way
Key Lessons for the Risk Executive:Classify major systems of record that, if breached, could cause a large amount of digital harm to your organization, such as systems that house personal information, health records, credit card numbers and intellectual property, and pre-plan Incident and breach response actions.
Effects: Data stolen/leaked, downtime, financial Loss
The effects from the Sony breach impacted everyone, from executives to employees. Confidential information was leaked online and several Sony employees are now suing the company as a result of the breach. Since news of the attack, Sony's stock prices has also dropped dramatically.
- Spike in data read volume
- Suspicious system file changes
- Unusual authentication and network traffic
- Monitor activity to catch spikes or abnormalities
- Control access by having increased controls like two-factor authentication on important data and services
- Encrypt data to protect it even after it is stolen
- Backup all important data
Key lessons for the Risk Executive:Ensure you have both an Incident Response (IRP) Plan as well as a Breach Response Plan (BRP) and they should be separate and distinct. Stages of transition from IR to BR should have identifiable decisions points contained within by role and level of authority. In many cases, organizations are introducing more liability to the organization by their actions post-breach in addition to harm caused by the breach itself.
Sign up for CIO Asia eNewsletters.