Friday, December 19, 2014

Cyber Security: Lessons from the Sony Pictures Hack

For the past few years, we have heard repeatedly that the “biggest cyber attack to date” has just taken place. Whether these attacks are being carried out by a consortium of Eastern European cybercriminals, some third-world despot, or an American high schooler in his basement, one thing has become certain: we cannot stop the attacks from happening. We can, however, be more prepared for them. The lawsuits that have arisen out of the recent Sony data breach, and out of last year’s “biggest attack to date,” the Target data breach, have common themes that businesses must consider when looking at their own systems.
 
Both Target and Sony allegedly failed to segregate and protect different types of data, and instead left all data accessible from a single point of entry. The Target hack started with the theft of login credentials from a third-party vendor. The vendor’s credentials allowed access to Target’s network, which was allegedly not segmented to ensure that its most sensitive parts were walled off. The hackers purportedly exploited this vulnerability and moved into Target’s customer payments and personal data network, where their malware was uploaded. This type of vulnerability – called a “segmentation issue” – occurs where two computer systems within a network are unnecessarily connected.
 
In the Sony attack, hackers were able to steal thousands of Social Security Numbers, passwords, medical records and other personal information of former and current employees. The attackers also successfully stole and leaked unreleased movies, financial information, internal e-mails and intellectual property. The hackers encountered over 500 spreadsheets and hundreds of PDF/Word documents that contained employees’ personal information and that were allegedly not password protected. It is further reported that a folder entitled “passwords” was available to assist in the theft.
 
At this point, you may be wondering if you should care about this if yours is not a Sony or Target-size business. You should care. It is a common misperception that cybercriminals target only large companies that are rich in intellectual property or financial and personal information. In fact, more than 40% of small businesses (those with 5,000 employees or fewer) have recently suffered a cyber attack. Their vulnerability is underlined by the fact that 77% of those same small businesses believe their companies are safe from cyber threats, and 66% are not concerned about such threats. Attacks of small- and medium-sized businesses will continue. In fact, hackers are targeting more small-and medium-sized businesses all the time. They have become low-hanging fruit for hackers to pick.
 
To limit the impact of these attacks, the segmentation of different network systems and the compartmentalization of different types of data (e.g., employees’ personal information, financial data, intellectual property, etc.) should be a top priority. In addition, limiting who has access to each kind of information can prevent an attacker from accessing all your information by targeting a single entry point. Businesses should also consider eliminating data that is no longer useful for their operation, but which can be very valuable to hackers, such as former employees’ personal information.
 
Although there are other precautions that a company should undertake to protect its electronic data, failure to segregate data and failure to control and limit who has access to types of data are currently providing claimants with a basis for their claims.
 
It is important to recognize that the law does not discriminate between small and large businesses. If an organization or individual has the personal or financial information of others, including current or former employees and customers, that organization or individual is a target for hackers, and, if hacked, will be required to comply with data breach notification laws. Notification laws vary from state to state and impose penalties for non-compliance. Some states, like Massachusetts, are now requiring organizations to affirmatively implement data-protection safeguards. Failure to comply with such state laws can result in fines or liability, even in the absence of an attack.
 
As Target and Sony are learning the hard way, the security of electronic information needs to be high on every employer’s (and every business’s) list of priorities. Segmentation of systems, user restrictions, strong passwords, and elimination of data when no longer needed, are basic security precautions that businesses should undertake now, affirmatively, rather than waiting until precautions are required by law or, worse, are too late to do any good.