The Sony breach is truly a wake-up call to literally every CISO and CIO in the country, for a number of reasons. First, in accord with the rule of three, this event has established a pattern that things we normally take for granted (normal emails, spreadsheets, documents, etc.) really can kill you.
If you remember, the rule of three relates to something happening once is a unique occurrence, twice is a coincidence, and three times establishes a pattern. After WikiLeaks and the Edward Snowden/NSA debacle, this Sony breach establishes a clear pattern – one that should scare the pants off of any CIO or CISO charged with keeping sensitive and potentially toxic information from getting out where it shouldn't be.
Consider the main learning points from this event and count yourself lucky that you can learn at Sony's massive expense.
The Sony breach is a true global event.
Mizuho Investors Securities analyst Nobuo Kurahashi estimated the cost of Sony's recovery from the data breaches to be approximately $1.25 billion and leading government and industry analysts expect it to happen again.
The Sony breach shows us the new reality.
Industry leaders across all verticals are realizing the veracity of the rule of three. Once is an anomaly, twice is a coincidence, three times is a pattern. Or in the words of Ian Fleming, “Once is happenstance. Twice is coincidence. Three times is enemy action.” The message is clear – there is no more secure perimeter. The only alternative is to secure the information objects themselves – think of putting each and every document, spreadsheet, presentation, email into a protective bubble – so that wherever they go (because they will go), the company is protected.
What was leaked is everyday stuff that exists in any company, anywhere.
Think about the kinds of information that are getting the attention in the press. Excel spreadsheets containing Sony employee compensation information, documents of employee reviews, internal emails describing projects, partners, entertainers, and reports on future plans and strategies. This isn't super secret database stuff, but rather the kind of information that every employee of any organization creates and uses every single day. This is the real goldmine for an information thief – tapping into the company's thought process and getting distilled, refined, qualified information that employees have already crafted into useable tools.
This didn't have to happen.
The Sony breach is the perfect example of why the industry is reevaluating its approach to data security. With the advent of global distributed business units, BYOD, and the cloud, there is no such thing as a secure perimeter anymore. The question is not if your network will be breached, it's simply a question of when and by whom. Leading companies are employing next-generation technologies that identify information as sensitive and potentially toxic, and then they are encrypting the specific pieces of information such that if a file, document or email does leak out, it's an encrypted blob that's useless to anyone that got it.
In the case of Sony, this approach wouldn't have kept the DPRK from accessing millions of files, but instead it would have millions of piles of useless ones and zeros as the information would have been encrypted and useless to anyone without the credentials to decrypt it.
Unfortunately, Sony is learning its security lessons in front of the world. Once its network perimeter was breached, the millions of jewels (documents, spreadsheets, emails) within were exposed to be carried off through the hole that was punched in the perimeter. Across the country in boardrooms and senior management meetings, the tough question is being posed to senior IT execs, “What are you doing so that we're not the next Sony?” Companies are now beginning to understand that they need to do more and stay more vigilant in order to keep their information secure. 2015 will be a year of organizations searching for and discovering the best paths and solutions to real data security.
