Governments, rival corporations, activists, or even disgruntled employees now have the ability to wage asymmetric cyber warfare and businesses must seriously re-think their security strategies in order to adapt. It is no longer possible for businesses to pay lip service to policy while implementing the bare minimum of controls needed to satisfy an international standard.
Sony, along with every other high-profile company breached in the past two years, had various industry certifications and what seemed to be a proper security policy in place, yet basic mistakes on the part of employees were not caught by the management system. The keys to Sony's entire social media presence (amongst other accounts) were found unencrypted in a well-ordered directory labelled "Passwords". Any money spent on their security policies could have been better spent educating their employees and providing staff with an enterprise-grade user-credentials management system.
The sophistication with which these groups conduct attacks brings home the reality that every business is at risk of, or has already been compromised. The management's role is to craft a security plan that limits the amount of data which a single compromised account can leak. Defence has to be taken to new depths where even the usage patterns of previously secure applications need to be reviewed.
Media reports have found a treasure trove of controversy in the emails released by the Sony hackers. Corporate email has moved beyond simply being a communications tool. It has become a file repository for workers around the world with banal conversations sitting next to corporate R&D documents in a single repository just waiting to be mined.
How can we mitigate against our own disasters?
What can businesses do? Now that our previous assumption of email access being secure has been proven false, we must leverage existing technologies to change user patterns.
The days where appointing a "security guy" is enough to ensure an organisation's security are long behind us. Hackers come from a broad set of backgrounds which require a broad spectrum of security professionals as a counterbalance. Hacking groups maintain specialists for different tasks so it is reasonable to expect companies to do the same. Different industries have different technologies and data which require specialised skills to properly secure them.
Third-party consultancies prove invaluable here since they allow small organisations to leverage the expertise of professionals with the global knowledge of a particular domain, without struggling to keep the resources on the payroll. Larger companies can benefit by hiring experts to attempt network incursions for real-life feedback on their security posture.
Regardless, the importance of properly empowering a security group with resources and manpower can no longer be questioned in today's environment. Savings realised by cutting corners when implementing security will be immediately wiped out following a single incident. No amount of money can buy back credibility lost after customers get even the slightest impression that proper due diligence was not carried out.
Sign up for MIS Asia eNewsletters.