The Sony Hack: Security Lessons for Small-Business Owners

If you think your small business can't learn anything from Sony's major security breach, you're wrong. Find out how to protect your small business from internal security threats.
January 05, 2015

The Sony hack has captured the attention of everyone from IT professionals to journalists covering celebrity gossip. While the fallout of this major security breach is still unfolding, there are already some important takeaways for growing small businesses.

A Timeline of the Security Breach

On November 24, 2014, employees at the headquarters of Sony Pictures Entertainment in Culver City, California, saw a skull image flash across their screens with an ominous message: “This is only the beginning,” reports. The message warned that hackers had obtained the company’s data and would release it publicly if the company failed to follow the hackers’ demands.

In the weeks that followed, the hackers behind the attack, who call themselves the “Guardians of Peace,” followed through on their promise. The group posted five Sony films, four of which were as-yet-unreleased, to file-sharing networks, and also released thousands of confidential documents, including emails between company executives and third parties, as well as salary and performance data on the company’s employees.

After receiving threats of terrorist attacks on theaters showing the film The Interview, many theaters vowed not to show the film on its scheduled release date of Christmas day. After that, Sony initially canceled the release of the film (though later decided on a limited release), but the company may continue to suffer damages to key relationships with actors, producers and other critical stakeholders as a result of the release of those private emails between Sony management and other individuals.

The Root Source of Many Security Issues

Despite ever-advancing security practices and our increased knowledge of security threats, why do security breaches like the Sony attack still occur? According to Jeffrey Bernstein, managing director of information security at T&M Protection Resources, a New York City-based global provider of security services, “At a high level, it's accurate to say that any effective enterprise security program should take three areas into consideration: people, process and technology.

“All too often, security breaches are caused by users doing something they shouldn't do, like clicking a malicious link in an email, opening an email attachment, using weak passwords, losing laptops or phones with confidential data, or being tricked into giving up their passwords through social engineering attacks,” Bernstein explains. “In fact, most security industry data estimates that well over 80 percent of all of successful data thefts that occurred over the past 12 months began with a user doing something they shouldn't have.”

Bernstein’s company, which provides post-breach incident response and forensics investigations, investigates cases that range from identity theft and simple website defacement to sophisticated thefts of large amounts of data or sums of money. “More often than not, people are at the root cause of these security compromises,” Bernstein says. “Because of this, getting end users to properly identify and respond to security threats is one of the most significant challenges facing organizations today.”

And this challenge is one faced not just by major enterprises but by businesses of all sizes. 

Next Steps

Reports indicate that the hackers behind the Sony attack gained access to the data by obtaining the login credentials to a system administrator’s account, and fingers are being pointed at North Korea for ordering the attack. Bernstein believes the Sony hack is likely the work of a malicious insider, and he suggests small businesses implement best practices to identify potentially malevolent insiders and limit their exposure to insider threats.

When conducting your annual risk assessment, Bernstein suggests you consider and assess threats from both individuals inside your company as well as external business partners, then documenting and enforcing policies and controls consistently. He also suggests that businesses incorporate insider threat awareness into the security training you conduct for employees on a company-wide basis. You should also monitor and respond to suspicious or disruptive behavior as early as during the hiring process.

Bernstein also recommends that companies “enforce separation of duties and least privilege”—should a single login credential become compromised, this will ensure that hackers won't get full network access. Additionally, he advises companies to institute stringent access controls and monitoring policies on privileged users.

“Use a log correlation engine or security information and event management system to log, monitor and audit employee actions,” Bernstein suggests. These precautions aid companies in detecting suspicious behavior by internal users so they can halt malicious activities before substantial damage is done. Additionally, a comprehensive security program, including adequate remote access and endpoint management and monitoring, as well as a formalized insider threat program, are critical for any company, no matter their size, operating in the current business climate.

“Most modern day security programs focus on people, process and technology. A determined trusted insider with malicious intent can circumvent the controls around all three,” Bernstein warns. “Many corporate security policies and procedures, technologies and training programs have yet to be updated to address this threat. For this reason, organizations must be vigilant about this threat and raise awareness internally.”

While the Sony hack may seem like it’s in a league of its own, small businesses aren't exempt from malicious security attacks. In fact, the Verizon 2013 Data Breach Investigations Report found that 62 percent of breaches affect smaller organizations.

Paying attention to major, news-making security breaches, heeding important takeaways and implementing best practices is key for small businesses of today to emerge as the security-savvy, growing enterprises of tomorrow.

Read more articles on technology.

Photo: iStockphoto