Looking from the outside in on what has happened at Sony has not been pretty. Massive failures at many levels have led to what is turning out to be an extremely expensive, reputation crushing, and embarrassing situation. Could it have been avoided? The answer is not easy, but let’s just say that the impact didn’t have to be so great.
First, let’s admit that anyone and everyone can be hacked. I don’t care how many deterrents you have – someone can get in. That being said, once they are in the question becomes, how soon do you know, how do you know and what do you do about it. It is rumored that credentials from a System Administrator were somehow compromised and allowed malware to be installed. If Sony had an understanding of what was normal business behavior they may have identified this anomaly quickly and shut it down. Knowing what people are doing within your infrastructure is a vital component of any security policy. It’s not that you are being big brother and spying on what everyone is doing all the time. It’s the time that someone is behaving in a manner not consistent with normal work activity that appropriate people are notified and action can be taken.
The amount of information taken from within Sony is not insignificant. If that much information was flowing out of your organization – you should know it’s happening. Again, understanding what is normal for your organization and what isn’t is something that should be known and tracked. Again we don’t know all the details, but if it was a compromised admin account, why was this admin moving things like unreleased movies out of the corporate network?
A lot can be said about the information or data that was accessed and removed. Having passwords saved in an unencrypted file named “Passwords” is not indicative of a company that makes employees aware of good data governance policies. The fact that all salaries were in one spreadsheet with open access is an issue. Open access, excessive access, unencrypted files, lack of data classification are all areas that could have been addressed and would have helped to limit the severity of the breach.
Honestly, every organization has many of the same issues that have been highlighted by this breach and hindsight is 20/20, so while I don’t want to pile on – I do want to point out that with appropriate controls, proactive data governance, and a thorough understanding of your business environment and how employees conduct business, interact with data, applications and infrastructure, this doesn’t have to happen to you.