Sony debacle shows how not to handle a hack

The Sony take-down didn't provide many new lessons for IT, but did emphasize the fact that even those with plenty to lose still have a blind eye
Written by John Fontana, Contributor

In some debates it may matter whether North Korea was involved in the Sony hack, but from an IT and corporate perspective it has little bearing on what lessons there are to learn.

Sony Pictures Entertainment seems to have mishandled its situation from the start including poor security standards and sloppy IT procedures, bad public relations judgment, and ultimately a panned decision to cave into hacker demands.

All that and the hack and its fallout are far from a conclusion.

It also reeks because another hack under the Sony umbrella, the PlayStation data breach, reached a preliminary $15 million settlement in a class action lawsuit shortly before this latest horror began brewing inside Sony Pictures Entertainment.

Leaked documents and statements from ex-employees show that Sony wasn't running a competent IT operation. The Associated Press reported Sony had suffered previous technology outages the company blamed on software flaws and inept IT staff even as the most recent hackers were mucking around.

Also, encryption was missing on sensitive documents containing salary and revenue date, strategic plans and personal employee information. Passwords were stored in electronic folders succinctly marked "passwords."

These are the sorts of oversights and rookie mistakes seen often but nonetheless are reckless at best and damning during a breach (and subsequent legal action).

A contractor who worked for Sony was more blunt, telling Business Insider, "The security team has no f---ing clue."

That was mistake one, disregard for industry best-practice security measures and poor staffing decisions.

Once the hack was revealed, Sony's damage control began to look as inept as its network skills.

The company brought in reputable cybersecurity firm Mandiant, but things went south when Sony CEO Michael Lynton issued a memo, picked up by media, saying the firm had told him the hack was "unprecedented" and "neither Sony Pictures Entertainment nor other companies could have been fully prepared."

Other cybersecurity firms panned that conclusion and Sony was left looking like it paid for a positive assessment that might possibly win it public favor as a bullied victim.

When public sentiment didn't come and the story got out of control, Lynton struck out at the media, hiring high-powered lawyer David Boies, who represented the Justice Department in the case against Microsoft, to tell media outlets they were in possession of stolen information and they should destroy it.

Media refused, cited responsible reporting, and again left Sony looking like the bad actor in its own personal Armageddon.

That was mistake two, trying to hang a veil in front of the media instead of being transparent and sticking to reasonable disclosure processes.

The third strike came when Sony pulled "The Interview" movie from release, touching off a national debate around the First Amendment and setting off an outcry from entertainment luminaries and others artists devoted to free expression.

The Sony hack now is generating a storm of hype around cybersecurity, cyberwarfare and Hackivism that is likely to touch off new rounds of lengthy legislation that will further burden overworked corporate security architects and keep Sony in the spotlight.

For enterprises, it's time to shut out the noise. The bulk of the lesson here has been served and the message isn't much different than it was pre-hack.

Security architects need to work on correcting their obvious weaknesses and work toward tightening the screws around security technologies already deployed. Email and document storage policies and procedures need to be revisited. Corporate communications needs to think before it acts, prevent executives from doing the same and shore up (or create) crisis plans.

And the executive suite needs to listen, to comprehend risk, and fund IT work that minimizes the possibility of a breach or lessens the damage if one occurs.

These are familiar refrains that are often addressed with lip service. But there is a company out there storming toward becoming the next Sony Pictures Entertainment. Will it be yours?

Editorial standards