Despite the rumored reasons for the cyber attack on Sony Pictures, a data breach of any sort was unanticipated, and Sony’s IT infrastructure, which was largely unprepared for this type of situation, was exposed. The negligent and straightforward naming of sensitive documents, in conjunction with the lack of classification, authorization, encryption, and policies made these documents easy targets.
Some of the sensitive documents containing the most critical employee information such as Social Security Numbers (including those of A-list celebrities), trade secrets, Sony executive salary information, password documents, email exchanges, etc. should have been protected. It is now very clear that a password protected computer or database, standard firewalls, Data Loss Prevention (DLP), and antimalware software do not provide enough security to ensure sensitive data does not get into the wrong hands.
Information is a company’s most important asset and should have it’s own protection. Network level security solutions are prominent, yet have increasingly failed to protect the sensitive information that is at the core of any successful business, as seen with Sony’s cyber attack. Many companies focus their defense strategy on the network layer. However, in the case of a breach, the attackers gain relatively easy access to sensitive data within the network. When an organization focuses its security controls on one single layer of protection, its entire security becomes dependent on these controls working properly at all times, against all threats. Unfortunately, this scenario is not realistic. Even though securing the network is the mandatory first step for any data governance plan, organizations need to focus on the information they are protecting and build multiple security measures around it.
Data centric security solutions apply protection to the data/documents themselves, allowing the sensitive data to be safely stored, used, transported, and shared within and outside the company’s network. A data centric solution, such as Microsoft’s Rights Management (RMS), keeps sensitive information secure as it stored within the enterprise perimeter and travels inside and outside of an organization. Documents containing Social Security Numbers, salary numbers, passwords, trade secrets, or any other sensitive data can be protected so only authorized users can see them. The protection is applied directly to the data or document in the form of encryption, authorization, and usage rights policies, and once it is applied, wherever it goes, the data carries the protection with it. Most importantly, even if hackers get access to the protected documents, they cannot “unlock” them to view in clear text.
Companies are reluctant to see the need for security provisions until after an event, such as this epic cyber attack, occurs. Unfortunately, once this happens, a business cannot operate as usual as time and money is spent picking up the pieces, paying out settlements, and finding replacements for the resigned executives responsible for the IT security infrastructure that clearly failed. Now is the time to be proactive. The fallout of waiting until something happens has become too great a risk to not protect your company’s interests ahead of time.
Take preventative action. Now Sony will possibly have to to spend millions of dollars on ‘after-attack’ security, investigating who is responsible, how they did it, and payouts for the excessive number of identity theft threats to their employees, as well as information exposed about partner companies and their employees. Security investigations do not protect from future attacks. They don’t ensure the security of sensitive, confidential data. They just figure out what happened – after the fact.