Sony recently announced that it filed an application to delay its third-quarter earnings announcement as a result of the highly publicized cyberattack on its Sony Pictures Entertainment (SPE) division in November. As a result of the cyberattack, which forced SPE to shut down its entire network, the company will not be able to meet the deadline for closing its financial statements in time for submission of the quarterly securities report in February.
When the earnings do become public, they may reveal clearly what financial impact the attack had on the company’s business. Previous cyberattacks have resulted in significant costs for large publicly-traded companies, including the 2007 data breach at TJX Companies that cut its second quarter profits by more than half, and the 2014 attack on Target that caused its next quarterly earnings to drop by 46 percent. In both of those cases, the attacks primarily targeted customer data, and much of the resulting cost may have resulted from addressing customer confidence issues on top of absorbing costs to remediate the causes of the breaches. By contrast, the SPE attack specifically targeted internal operations, knocking out many critical IT services. Reportedly, its email system was completely disabled, and employees were forced to use phone calls, hand-written notes and fax machines to communicate. Sony’s announcement stated that its financial and accounting applications will be offline until early February – over two months after the attack began.
From a business standpoint, an outage at this scale qualifies as a disaster event, i.e. a catastrophic failure in IT infrastructure that disrupts access to critical applications and/or data for extended periods of time, akin to a fire or hurricane that disables an entire data center. A key step in planning for recovery from these kinds of failures is to perform a risk assessment in which all of the possible threats to operations are assessed, along with their relative potential impacts on business process continuity. The SPE incident underscores the importance of making sure cyberattacks are covered in Disaster Recovery (DR) scenarios in addition to technology failures, human error, and site-wide disasters. Note: clients of Gartner for Technical Professionals can download this recently published Solution Path for Achieving IT Service Continuity and DR Success, which provides a step-by-step guide for implementing an IT service continuity and disaster recovery strategy in an organization.
The SPE incident shows how a specific cyberattack can adversely affect operations in a way that a tornado or data center fire would have. One positive outcome is that the public financial reporting of its impact will put a real cost on missing elements of a Business Continuity/Disaster Recovery (BC/DR) strategy. Proper funding is essential to DR success, and Sony’s reported numbers will help IT managers in other organizations get the attention of executives as they implement their own BC/DR strategy. This incident demonstrates that IT service continuity and IT DR are more than just an infrastructure challenge. Security-related investments may be increasing across the industry, but part of the security budget should be allocated to response, not just protection. The lessons of Sony’s attack can be used to strengthen CxO sponsorship that will be needed to plan for attack-based disaster events in the future.