Companies across the world are on high alert to tighten up their network security to avoid being the next firm brought to its knees by hackers like those who carried out the dramatic cyber-attack against Sony Pictures Entertainment.
The hack, which, a US official has said, investigators believe is linked to North Korea, culminated in the cancellation of a Sony film and ultimately could cost the studio hundreds of millions.
That the hack included terrorist threats and was focused on causing major corporate damage, rather than on stealing customer information for fraud, such as in the breaches at Home Depot and Target, indicates a whole new frontier has emerged in cyber-security. Suddenly every major company could be the target of cyber-extortion.
“The Sony breach is a real wake-up call even after the year of mega-breaches we’ve seen,” said Lee Weiner, Boston security firm Rapid7’s senior vice president of products and engineering.
“This is a completely different type of data stolen with the aim to harm the company.”
This should signal to all US businesses that they need to “take cyber-security as serious as physical security of their employees or security of their physical facilities,” said Cynthia Larose, chairwoman of the privacy and security practice at Boston law firm Mintz Levin.
The breach is particularly troubling in Hollywood, where secrecy is supposed to be paramount to insure that movie secrets worth millions are not leaked.
“Movie studios have, by and large, behaved as high-security intellectual property purveyors; prints have been tightly controlled, screeners are watermarked, and bootleggers are prosecuted wherever possible,” said Seth Shapiro, a professor at the University of Southern California’s School of Cinematic Arts.
He said what made it so surprising was that email leaks showed Sony executives apparently gave out passwords in unencrypted emails and made other security blunders.
“The apparently laxity of Sony IT security – given the history of prior hacks – is unprecedented in the history of media technology,” he said. Sony’s PlayStation network was hacked in 2011.
Studios are trying to tighten up procedures in the wake of the Sony attack. Warner Bros. executives have ordered a company-wide password reset and sent a five-point security checklist to employees advising them to purge their computers of any unnecessary data.
“Keep only what you need for business purposes,” the message, in an email seen by The Associated Press, said.
Even so, some say there is little corporations can do to prevent such a sophisticated attack. The key may lie more in detection and limiting damage.
“There are very few companies that can withstand that kind of large assault,” said Rich Mogull, an analyst with security firm Securosis in Phoenix, Arizona. “But a lot of companies do need to improve what they’re doing on security, I see it every day with companies I work with.”
Companies also need to invest in identifying vulnerabilities on their networks and work quickly to address them.
Jonathan Sander, strategy and research officer at data security firm Stealthbits in Hawthorne, New Jersey, recommends a comprehensive review to ensure outdated files, such as digital copies of old contracts and electronic conversations that occurred years ago are no longer being stored on the corporate networks.
“We used to have to lead people to the idea that you need to protect this kind of data,” he said. “Now we walk in and they’re asking, ‘How can I keep my data from ending up on the internet like Sony’s did?’.”
Some customers have been wondering if they should reduce their reliance on email and switch to other digital forms of communication, such as messaging systems that do not store the data.
Most importantly, companies need to focus on the ability to detect hacks quickly and limit them as fast as possible. Currently, the average amount of time it takes a company to detect a breach is 200 to 230 days, Rapid7’s Mr Weiner said, adding: “That allows the attacker time to gain a lot of knowledge and do a lot of damage.”
One example companies could follow is in the technology sector, where most firms have been tightening their security measures during the past 18 months in response to revelations about the digital spying tactics of the US government.
Documents leaked by former National Security Agency contractor Edward Snowden revealed that the government had been tapping into the computer networks of Google, Yahoo, Facebook and other technology companies in search of emails and other electronic communications that might uncover terrorist plots and other illegal activity.
The government has maintained that it has never collected the kind of highly personal details stolen in the Sony Pictures breach. But tech companies being targeted by the NSA have since tried to thwart the surveillance by encrypting their internal email systems as well as the free accounts available to the general public.
Both Google and Apple, the makers of the world’s leading software for mobile devices, are also automatically encrypting the data stored on smartphones so the information is indecipherable to unauthorised users, including government authorities.
General Motors says it has bolstered cyber-security in the past two years by bringing information technology in-house from outside vendors. The auto giant has a cybersecurity chief on staff to prevent hackers from getting into GM vehicle computers and has consolidated electronic data storage from 23 centres around the world into two near Detroit.
Tom Chapman, head of cyber-operations at EdgeWave Security in San Diego, California, said in the past, people were looking for a firewall or an individual product for protection.
“Now, they’re realising there is a human element. They need to understand who might be after them. By better understanding your likely adversaries, you can better craft your defence,” the retired US Navy intelligence officer who specialised in hunting down hackers said.