Note: this article was previously posted on Norse’s DarkMatters.
Where do we die first? For leaders of companies doing business in the digital world (i.e., all companies) this is the question you should be asking yourself when it comes to cyber security and crisis planning. Where does your company die first? The Sony hack shows why companies must classify data and prioritize their defenses in crisis planning.
You will be hacked
All companies are being attacked. A hacker only needs to be successful once. A company’s security must be successful 100% of the time. The odds are not very good. It is not a matter of if but when.
Sony is neither a lightweight nor a newcomer in this hacking game. Sony has been hacked before and has suffered a lot because of it. It is safe to assume that Sony has worked hard and devoted a lot of resources to securing its network and protecting its data from hackers.
Sony Pictures just got hacked. Indeed, it has been pwned! If it can happen to Sony, it can happen to your company.
You can’t defend everything–data must be classified and defended according to its value to the company
The latest Sony hack has only recently become public but we are already learning that a vast treasure trove of information was stolen. What I found interesting when looking at these categories of information taken is how it is so varied.
While all of it is embarrassing for the company, some of it may prove to be more embarrassing than it is critical to the future profits and success of the Company. Some of it, however, could be devastating: Its crown jewels. Sony has the industry strength to withstand the harm that will come from this but many companies would not fare so well.
Here are the categories of information believed to have been taken among the 25 gigabytes of data believed to have been compromised: Sensitive financial data, emails, personal information relating to the cast and crew of films still in production, medical and other HR records, digital copies of films that have not yet made it to theaters, and potentially internal audit documents from accounting firm Pricewaterhouse Coopers.
All data has some value to the company, the hackers, and the data subjects in appropriate cases. But some data is clearly more valuable to the financial success of the company than other data.
Classifying Sony Pictures’ Data
Emails are valuable and surely contain information that needs to be protected from disclosure. However, unless those emails were encrypted, that information probably could have been obtained by less sophisticated tactics than were apparently employed against Sony Pictures.
Personal information relating to the cast and crew is extremely important and raises substantial privacy concerns for its data subjects as well as the company. This may also impact how favorable actors and crew view working with Sony Pictures but these concerns will likely go by the wayside before too long.
Financial data related to the company and its projects is also extremely valuable though probably not considered the company’s crown jewels.
But unreleased movies?
For a company that makes its money off of people paying to see movies, is there anything more valuable than its completed-yet-unreleased movies?
At least 5 of Sony Pictures’ unreleased movies are now floating around the pirate world and one of them, Fury, has been downloaded by over 888,000 unique IP addresses which is enough to earn it the title of the second most-downloaded movie currently being pirated.
This has to have a major financial impact on Sony Pictures’ revenue. More so than, I assume, random unencrypted emails exchanged among employees about their Halloween costumes or plans for Thanksgiving. Some things require greater protection than others.
Lesson’s on Data Classification and Defense
“He who defends everything, defends nothing.” -Frederick the Great
Now perhaps Sony Pictures prepared for this by classifying its data, categorizing it, and defending it according to its respective level of importance, and just got completely pwned by the hackers — from top to bottom, inside and out. We may never know.
What we do know is that this provides the basis for a good lesson on things to consider when evaluating our company or clients’ companies’ data and deciding what requires the highest level of protection and what may not.
All business must understand that they are operating in the digital world, they will be attacked, and in all likelihood, the attackers will have some success in hacking into their network. How much success depends on how well the company defended its crown jewels — that data that is most vital to the company.
Frederick the Great taught that you can’t defend everything equally. Strategy requires that some things be defended more strongly than others. The same rules of traditional battlefield strategy apply to cyber warfare: You must deploy your strongest defenses where your company dies first.
This is one more example of why it is important for companies to proactively prepare for and take steps to minimize the risks of doing business in the digital world.
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.