Sony found itself in the news again over the Christmas period as its PlayStation network was brought to a standstill by a group of hackers. While this may have momentarily diverted attention from the recent “North Korean” attack, the story that two former Sony Pictures employees are suing the company, claiming that it mismanaged health care information and other personal details grabbed by hackers in the recent breach, could well have companies across the globe running to review their security set ups.
Should the two plaintiffs win their case, it is likely to set a precedent in terms of the Duty of Care for companies to protect the data on their staff.
In this case, the two former employees claim Sony knew its computer systems were not secure enough to protect confidential employee information prior to the breach.
This is backed up by recent stories that a Recode report stated that a security audit conducted earlier this year showed gaps in the way the movie studio monitored its computer systems.
The tech magazine reported that PriceWaterhouseCoopers undertook an audit of Sony’s systems over the summer and that found “a firewall and ‘more than 100 devices’ were being monitored by the studio's in-house team rather than Sony's corporate security team tasked with overseeing infrastructure.” That gap, the auditors claimed, could mean a slower response time should a problem occur.
Of course, Sony isn’t the first company to get hacked and it won’t be the last – the bank, the US military and even The Whitehouse have suffered similar fates – but what makes this uncomfortable reading for the group is the fact that the it has ‘previous’ when it comes to failing on the security front.
In a recent article, Bruce Schneier, American cryptographer, computer security and privacy specialist, said: “You don't want to be in the category of blame the victim, but Sony has had hacks before. It's been hacked dating back to 2005, and the executives inside of it are still emailing to each other like it's 1997 and it's the first time they've ever been on email.”
In light of the company’s previous high profile attack – the 2011 PlayStation hack that took the network out and compromised thousands of users’ personal details – you would have thought that it was reasonable to think that Sony would have learned a lesson from this and stepped up its game. Two serious hacks in two months, suggests otherwise. Either that or the entire hacking community is out to kick the company while it’s down.
Worryingly, the two ex-employees behind the lawsuit claim Sony's response thus far has been inadequate. They are demanding the company “cover all their credit, credit card, bank, and identity theft monitoring expenses for five years. They're also seeking class-action certification so their suit can represent both current and former employees.”
The reality is that Sony hasn’t done itself any favours here, but people will be looking on to see how this one pans out.
So, if you’re not already looking to shore up your cyber defences now’s the time to start. All indications suggest that the situation in cyber space will not improve until organisations, large and small, take tangible and reasonable steps to safeguard their network infrastructure.
Here’s our suggested tips to help you sleep better at night:
One of the key things to realise is that good security is not about one thing or another it’s about a combination of things all working in harmony.
• Get your Patch Management sorted
• Make sure you have a strong Antivirus
• Robust Email Filters are essential
• Ensure you have Web Protection in place
• Don’t forget Backup
• Know your Network
• Educate your employees
Want to know more about security? Then check out the videos serious by our security lead, Ian Trump…
Get the latest MSP tips, tricks, and ideas sent to your inbox each week.