Bringing down Sony was frighteningly easy
The average company is one bad click, misplaced password or disgruntled employee away from getting hacked.
At Sony Pictures, the company basically put out the welcome mat for hackers.
Leaked documents show that Sony employees kept lists of passwords in spreadsheets on their computers. Also, employees kept the Social Security numbers of 47,426 people — including Conan O’Brien and Sylvester Stallone — lying around in unencrypted files. That’s extremely reckless.
The Sony Pictures mega-hack, chock-full of erased computers and exposed documents, is only the latest example of how hackers can attack companies’ computer networks with frightening ease.
In 2010, hackers slipped a “digital bomb” into the Nasdaq that nearly sabotaged the stock market. In 2012, Iran ruined 30,000 computers at Saudi oil producer Aramco. In 2013, North Korean hackers froze some of South Korea’s banks and media networks.
Meanwhile, companies seeking to reduce costs and increase efficiency have centralized powerful networking controls, giving more employees access to massive amounts of data. 71% of employees say they have access to sensitive data they shouldn’t see, according to a new survey by the privacy experts at the Ponemon Institute.
That means the payoff for hacking is even higher, according to Richard Danzig, vice chair of the RAND Corporation think tank and former Navy Secretary. Getting an employee’s username and password though a simple phishing email could be enough to bring down a company.
“I don’t think anyone has a grasp of the magnitude of our challenge,” Danzig said. “Cyber insecurity can lead to the destruction of your company, your brand, your capability, your assets.”
Companies simply don’t do enough to protect themselves — many even ignore basic cybersecurity protocol.
A recent survey conducted by cybersecurity firm Trustwave shows that 18% of companies don’t perform “penetration tests,” essentially a search for holes that hackers can exploit. And 20% of firms don’t even have a way for anyone to report security incidents.
It’s not enough for a company’s to install antivirus programs on every computer and restrict employee behavior online. Every employee is on the front lines of an ongoing conflict, whether they like it or not.
Not all industries are equally vulnerable. Banks are ahead of the curve: They get hacked, but their losses are generally minimal, security experts widely agree. But other sectors — manufacturing, health care, retail — are far behind. In the past year, one of the nation’s largest hospital networks was hacked, losing data on 4.5 million patients, and Home Depot, one of the nation’s largest retailers, suffered a major hack as well.
Even critical infrastructure is vulnerable. The U.S. energy grid is under constant attack, for example.
Will the Sony hack serve as a wake-up call for companies to raise their defenses?
Ralph Langner, a German cybersecurity consultant, isn’t convinced it’s sufficiently brutal.
“It still isn’t painful enough,” Langner said. “It’s going to get worse. We didn’t learn after Target. It got off easy. Sony? We’ll have to see the actual damage.”