It’s easy to pick on the security of a company that has just been hacked, but I don’t think it is fair, accurate, or defensible. Make no mistake, there are companies with terrible security practices who have been hacked and likely deserve derision, but I have trouble believing that Sony Pictures is one of them.
Let’s look at what is known publically. Several files were dumped on the internet that allegedly come from their internal networks. Many of these are said to contain passwords.
“How can this be so?!” cries the ambulance chasing security pontificators. “Sony has terrible security practices!”
What we also know publically about Sony is that they are a for profit company dealing in a digital medium with obvious devastating impact for unauthorized access to their products. They have every motivation to pour a lot of resource into protecting their lifeblood. But what about their administrator’s behavior
Dumping sensitive data into unprotected text files is a practice as old as time and I have seen it at many companies. This is typically the result of administrators who have a job to do. If you need access to 50,000 passwords, this is a convenient way to get it. Sure it is against policy. Sure it is risky. But what’s the probability of a pervasive and comprehensive attack that will compromise such a file?
Risk and security programs have a lot of priorities and employees ignoring policy has not been at the top of the list. Sony security should not be lambasted for doing exactly what they should have been doing which is focusing limited resources on the most important assets in the company.
If you want to cast the first stone, you better consider your own glass house. (I love mixing my metaphors.) Basically, every enterprise has this problem with people and behavior. Everyone reading this has unencrypted files in their company with sensitive data.
However, the Sony hack changes the game. If North Korea is involved, a nation state attacking an enterprise with malice creates a very different security problem with user behavior that will not be solved by technology.
Security programs and user education need a boost with special attention on these risky practices for convenience. Simple behavior changes will do more to protect your enterprise than spending millions on complicated technology that will make users miserable. Users will immediately seek to bypass poorly conceived technical solutions and put even more data at risk. Avoid this outcome.
Gartner’s research in people-centric security recognizes the criticality of user behavior as a control and seeks a better answer than posters and mousepads that say security is important. It is the integration of security and social science designed to motivate users to want to do the right thing.
Never waste a crisis. Sony is not the first serious, game changing hack and it won’t be the last. Use the visibility this creates with executives to institutionalize better practices that will survive the times when they go back to sleep over security. You could do that… or you could use this opportunity to push through the budget for that DLP system you’ve been trying to get for 3 years. Your choice.
And stop picking on Sony.