Learning from the Sony Breach

A Network World article defines business resiliency as “an organization’s ability to recognize and weather a cyber storm, to be in a position to reduce the organization’s exposure to harm and, most importantly, to quickly pivot when necessary.”

The article provides a meaty, detailed look at how we can all learn from the Sony attack, with detailed examples of warning signs and how we can avoid being in our own Sony situation. Below are the key lessons for risk professionals as they appear in the article, though we encourage you to go to the full original piece for a more comprehensive read (link below).

  • Broaden the sphere of knowledge to the risk landscape beyond what has traditionally been an IT-based discipline. Too often organizations fall into the trap of looking at only the bits and bytes, but it is critical to understand who is attacking you and why. Remember, cyber-attacks are conducted by humans who are driven by a desire to have your data. Monitor social media accounts or statements of groups that may pose a threat. Take extortion threats seriously. The malicious actor who breached Sony is said to have sent executives an email three days prior to the initial leaks.
  • Classify major systems of record that, if breached, could cause a large amount of digital harm to your organization, such as systems that house personal information, health records, credit card numbers and intellectual property, and pre-plan Incident and breach response actions.
  • Ensure you have both an Incident Response (IRP) Plan as well as a Breach Response Plan (BRP) and they should be separate and distinct. Stages of transition from IR to BR should have identifiable decisions points contained within by role and level of authority. In many cases, organizations are introducing more liability to the organization by their actions post-breach in addition to harm caused by the breach itself.
  • Take a hard look at what IT services should be operated in-house versus outsourced. By the time data-wiping malware or ransomware is detected, it is often too late to recover data. The least expensive and most reliable method to protect company data is to keep a regularly-updated remote backup or shift to a cloud provider. Core business applications such as email, HR/Payroll (ERP), user storage and other services of a similar nature can usually be outsourced to a trusted service provider hosted in the cloud that is cost effective.


For a much more detailed piece, check out the original article here: