January 14, 2015
It’s an understatement to say that Sony Pictures Entertainment probably got one of the worst holiday gifts any company could wish for last month. Or should I say gifts: 47,000 leaked Social Security numbers, three class action lawsuits (at press time), and an unprecedented movie premiere cancellation. Add in a near-infinite amount of embarrassing stocking-stuffers in the form of leaked executive communication, and Sony would love to do nothing more than ask for a gift receipt and return these headaches from where they came.
As they say, though, there’s no putting the toothpaste back in the tube. But what’s the lesson for those of us on the sidelines, watching and worrying? The insurance buyer in me says cyber liability coverage is the answer, but I wonder if that really solves the problem. After all, it doesn’t help prevent or limit attacks, and it doesn’t even hold entities responsible for conducting the hacks. Not to mention, how long until this approach leads to a pitch for a governmental cyber liability backstop?
What about a more holistic approach to the problem? Do we build higher walls and stronger gates? Redouble our efforts to enforce encryption best practices? Do we at least label our password directories with names other than “passwords”?
This enterprise risk management approach seems to make the most sense (especially for the latter). As long as attackers feel they can win by gaining something valuable, they will continue to hack away. The least we can do is make it more difficult for them, and have some cover in place in case it all goes to hell.