May 26, 2011, 1:54 PM —
Source: IDG News Service
If impersonal, multinational corporate conglomerate Sony had a process in place that got some of the key people in its IT, legal and operational divisions talking on a regular basis, it might have been able to stop the series of data breaches currently making it a laughing stock in the business and technology worlds, according to new research on risk assessment.
On April 19, Sony's PlayStation network was penetrated by what Sony Computer Entertainment boss Kaz Hirai told Congress was a "carefully planned, very professional, highly sophisticated criminal cyberattack designed to steal personal and credit card information for illegal purposes."
A week later, Sony Online Entertainment's network was hit – with a similar attack, presumably by the same crew of hackers.
Sony lost more than 25 million customer records, some including credit card numbers and other personal data.
Since then half a dozen other Sony sites have been hit, most recently a Canadian outpost from which a Lebanese "gray-hat hacker" looking more to teach Sony a lesson than profit from a hack, took customer emails and other information, and posted them as proof of the exploit.
The first breach may be understandable, but a series of breaches all using similar SQL injection techniques shows Sony just isn't paying attention.
More charitably, Sony hasn't figured out that it would be well worth the time and money it would take to create a company-wide process to define how data should be protected, what privacy and security policies should apply to each division's IT or web sites, and what process the company should follow to both respond to one crisis and prevent future disasters at the same time, according to Larry Ponemon, founder of the Ponemon Institute for Privacy Research.
Ponemon just published a report showing only about one organization in five have policies in place that would define company-wide how to respond to crises in security or privacy. A third of companies have no policy at all.