Why Sony & Barack Obama could be defining your DLP policies

By Dr. Guy Bunker @guybunker

Sony hack

Who could have missed the Sony hack, breach and whatever else? It’s been all over the news for days, and after the film was pulled, even Barack Obama and The White House has got in on the act. But what does it really mean for business?

First off, this wasn’t a hack in the traditional sense, well, actually it was in the ‘traditional’ sense (if you go back a decade or more) – in that it was done ‘because they could’ – which was what hackers used to do. Today, breaches are more about money than glory – so we hear about credit cards being stolen, personally identifiable information being accessed and generally information that will get the regulators up in arms and the hackers a fast buck or two.

The hacktivist is someone who is driven because of a belief, rather than for pure financial gain, and in this case it was supposedly a rage against a comedy focussed on the assassination of a specific leader. (While we, as a nation are a bit apathetic on such things, there would no doubt be outrage and letters written to the broadsheets expressing extreme dissatisfaction should there be a similarly themed film around say, The Queen!)

So, the hacktivist is motivated and actually skilled – not just in getting the information, but also in being able to disseminate it to the world through the media. Because of the nature of hacking, the victims can be anywhere as can the attackers, making it really tough to manage and control the fear, uncertainty and doubt (FUD) that then emerges. For the cyber-attackers in this case, they succeeded in creating enough FUD that cinemas began refusing to show the film – ultimately stopping it from being released. Here is another difference, while we have seen attacks against individuals, think Salman Rushdie and even some organizations, think Jyllands-Posten, this is probably the first time where the effect has gone down to the customer – the cinema owner in this case.

However, it turned out that this wasn’t just about the film, the attackers also got hold of other information, and a little like Edward Snowden, they are slowly leaking out other pieces of information to discredit Sony. I suspect that this will continue for many months as they trawl through their haul.

But, what can be learned from this recent attack?

Well firstly, all information has a value to somebody – it’s not just about credit cards. This attack has proven that damage can be very quickly done to a reputation through the medium of email. While there is considerable protection around credit card details and the like, there is a lot less around things which have not usually been thought of as a threat. Security measures need to be improved across all types of information to prevent it from doing damage should it fall into the wrong hands.

Secondly, think about what you write – even if it is flippant and meant in jest. What would happen to your personal as well as your company’s reputation should it get into the press? People have started to modify their behavior with social media because of the embarrassment it can cause, think celebrity selfie, should it escape into the public domain – the same could also be true with internal email. While at a previous job, there was a change in policy to stop jokes etc. being sent around the office by email – instigated for HR reasons; there is now another good reason to stop doing this.

Thirdly, there is no silver bullet when it comes to security; technology is just a piece of the pie. People need to be aware of the threats, risks and consequences, and correct processes need to be put in place. Sony has just put in place a crisis management team to handle the bad press the have got over recent days. From a technology perspective, Data Loss Prevention tools need to be coupled with a strong Information Governance solution to monitor where information is flowing from and to. Anomaly detection can then be used to look for changes in behavior and help spot issues before they become problems.

Finally, there has been talk about the knock-on effect of ‘Free Speech’; over the weekend another project was pulled as it too might be too controversial. If this is the case, and it does become the norm, that creativity is curtailed due to extremists, this would be very sad. This was about a film. What if extremists decided that they didn’t like something else, perhaps the design of a car, or maybe a pharmaceutical drug, or ... well, that’s the problem, it could be anything and then the company that created it, builds it, sells it, or the person who buys it could suffer the consequences.

We live in a multi-cultural world, which is made very small because of the Internet. There is a very fine line between being offensive and not, and between being tolerant or becoming a hacktivist...