Sony managers could have stopped security disasters by talking to each other

Study shows few companies alert other business units when one has a crisis

Credit: Source: IDG News Service

If impersonal, multinational corporate conglomerate Sony had a process in place that got some of the key people in its IT, legal and operational divisions talking on a regular basis, it might have been able to stop the series of data breaches currently making it a laughing stock in the business and technology worlds, according to new research on risk assessment.

On April 19, Sony's PlayStation network was penetrated by what Sony Computer Entertainment boss Kaz Hirai told Congress was a "carefully planned, very professional, highly sophisticated criminal cyberattack designed to steal personal and credit card information for illegal purposes."

A week later, Sony Online Entertainment's network was hit – with a similar attack, presumably by the same crew of hackers.

Sony lost more than 25 million customer records, some including credit card numbers and other personal data.

Since then half a dozen other Sony sites have been hit, most recently a Canadian outpost from which a Lebanese "gray-hat hacker" looking more to teach Sony a lesson than profit from a hack, took customer emails and other information, and posted them as proof of the exploit.

The first breach may be understandable, but a series of breaches all using similar SQL injection techniques shows Sony just isn't paying attention.

More charitably, Sony hasn't figured out that it would be well worth the time and money it would take to create a company-wide process to define how data should be protected, what privacy and security policies should apply to each division's IT or web sites, and what process the company should follow to both respond to one crisis and prevent future disasters at the same time, according to Larry Ponemon, founder of the Ponemon Institute for Privacy Research.

Ponemon just published a report showing only about one organization in five have policies in place that would define company-wide how to respond to crises in security or privacy. A third of companies have no policy at all.

"Most people, in most lines of business or business units keep their eye on their own responsibilities and on what they have to do," Ponemon said. "They end up in these silos where the legal team doesn't talk to IT, which doesn't talk to the business units about what to do about compliance or risk assessment. They all have their own policies, but there's a lot of duplication of effort and they don't match up."

The report was sponsored by EMC's security subsidiary RSA, but the data and conclusions seem solid enough.

The analysis process they tout suffers from its own drawbacks, though.

First it's called e-GRC – for Enterprise Governance, Risk Assessment and Compliance – which combines three of the five technology issues that are both critical to the success of IT in a big organization, and guaranteed to put anyone to sleep far too quickly to do anything about them. (The other two sleep-inducing critical issues both involve storage, but so far I haven't been able to stay conscious long enough to figure out which they are.)

The second problem is that it requires corporate managers to not only cooperate with each other, but to spend time and money doing it without being forced by government regulations or an immediate crisis.

"Unfortunately it usually takes a crisis to get all these people talking across organizational barriers, but once they do, they find they eliminate a lot of duplicated effort and they have a much better response time and are more effective than when they operate without a plan," Ponemon said.

Companies that have had to deal with major security crises are usually well prepared for the next one, at least until acquisitions, changes of leadership or short corporate memories makes it seem wasteful or "soft" to spend resources making sure there is a specific group of managers responsible for coordinating data-governance, security and compliance policies companywide.

A process of risk-assessment that required a team at Sony to inform other divisions that it had been breached and how, and requiring other divisions to check for and eliminate similar vulnerabilities in their own sites, would have stopped the chain of Sony disasters after the first one.

"It's still not easy," Ponemon said. "But you've got a much better chance to top the problem early, rather than having it come back time after time."

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon