By Caroline Callaway
Netflix’s recent release of The Interview has us thinking again about the recent attack on Sony Pictures Entertainment.
Quick refresh: On November 24, 2014, the computer networks of Sony Pictures Entertainment were hacked by an anonymous group identifying themselves as the “Guardians of Peace.” The attackers leaked Sony’s intellectual property, incriminating emails, regulated personally identifiable information and details of their entire IT infrastructure online. The information became instantly accessible by anyone with internet access. Sony’s attack came before the release of their highly anticipated movie The Interview. The movie’s plotline features the assassination of North Korean leader, Kim Jong-Un. The FBI has publicly announced that an army of 6,000 North Korean cyber-attackers are to blame with evidence that hackers’ IP addresses were visible after being directly connected to the internet. It has also been suspected that a former disgruntled employee assisted with the attacks as well.
To our knowledge, there have been no further attacks on Sony; however, many people have been left wondering if their companies will be the next victim of a cyber-attack. The Sony attack represents a different approach used by cyber-attackers, in which hackers’ main purpose is to release sensitive company information in efforts to destroy reputations and relationships. With this in mind, here are five lessons that we can learn from the Sony attack:
1. Limit Access to IT Technician:
Every company benefits from having an IT technician, but, this is sometimes the first person we suspect in the event of a cyber-attack. An IT technician only needs access to the IT system and applications, not access to the entire company’s data. By reducing the accessibility of an IT technician, a company is then able to reduce the potential of a future threat.
After an internal attack, a company must start from ground zero in terms of rebuilding their IT infrastructure. First, it is important to consider the options of remaining with your current system provider, or searching other viable options. Second, a company needs to decide how it will respond to the attack publicly and what message they will be sending to their employees post-attack. (Some companies have internal play books; others turn to professional firms that specialize in crisis communications for strategic advice and counsel.)
3. Encourage Transparency:
All employees of a company should consider themselves potential targets for a future cyber-attack. As such, it is important to be aware of one’s digital trail. Companies should promote positive, internal dialogue and promote discretion for all written (and verbal) exchanges. In today’s climate, we must assume everything is discoverable.
4. Update and Educate:
Companies should always have up-to-date antivirus software and should continue to educate themselves on new ways to protect their IT system and data. It is important that companies share new information with employees regarding any suspected viruses as well as safe online practices.
5. Learn from the Past:
If your company has already experienced cyber-hacking, remember to learn from past mistakes made. There are many companies that have been cyber-hacked that we have never heard of – and from the looks of 2014 – this doesn’t seem to be slowing down in 2015. Take notes from other companies’ experiences and apply those best (and worst) practices to your own situation.
The Sony attack may not have been preventable, but there are steps companies can take proactively that may help alleviate the effects of a future cyber-attack. Sony’s situation is a good whiteboard example for other companies. Namely, it is always better to have a plan and be prepared, e.g., preventing a fire as opposed to running headlong into one. Edward R. Murrow says it best: “If you’re going to invite me to the crash, please invite me to the takeoff.”
Instead of calling your communications team after a crisis occurs, consider bringing them under the tent now – in times of calm – in order to adopt thorough mitigation planning.