Or so it would appear, based on the story that has been developing at Sony Pictures over the last few weeks. In a classic case of ‘you couldn’t make it up’, this is the story that to the world of cyber security, ‘just keeps on giving’. Indeed I now read that another film company is holding back on the release of a film that touches on similar subject matter to The Interview.
Whilst the media focuses on the ‘whodunnit’ aspects of this story I am more interested in the wider ramifications it may hold as regards Cyber Security and the broader business community. As we all know Hollywood is for the most part about fantasy. Putting aside the films, the actors and media moguls work in environments that are way beyond what the average man in the street ever experiences. So when a name like Sony Pictures is the subject of a cyber attack, it serves to reinforce that this sort of thing is unlikely to happen to just any old business.
Whilst the IT industry maybe salivating at the prospect of cyber security being right at the top of C Level exec’s list of corporate New Year’s resolutions, small businesses could be fooled into taking their foot off the gas. Why me, when there are so many bigger, high profile fish to fry?
Putting motives aside and granted your average small business is unlikely to be the target of a nation state attack, the route via which the hackers gained access to Sony Pictures’ IT systems and the mechanisms they used to extract data will be exactly the same. Vulnerabilities will have been exploited, be they people or technology based. Weaknesses have been established and taken advantage of by hackers in order to secure their objective.
What’s more it is proving that the value of digital assets are many and varied. In the world that I have been focused on over recent years the onus has been on payment card data, that which can be sold on in return for cash, or used to undertake fraudulent purchases. In this scenario the problem is that until they become the target of such an attack, the victims have generally been blissfully unaware that they bore any responsibility or liability for such losses. The reality is that there has exisited a misguided perception that cyber security issues are typically associated with inconvenience rather than material and financial damage, especially where small business’ are concerned.
Putting aside the production costs and loss of revenue associated with the aforementioned film, the reputational impact could be far more costly and longer lasting, especially to those running the company at this time. With the perpetrators of this attack sitting of terabytes of corporate data, there is no end to the ‘dirty washing’ that could implicate current senior management over the coming months. That said you could argue that this is trivial by comparison to more sensitive intellectual property, in the shape of ideas and other sensitive commercial information that is also there to be revealed.
So like any Hollywood block buster, things could be construed as somewhat farfetched, however most such productions have some underlying moral for the audience to take away. In this instance it is that we are all potentially vulnerable to hackers. Their motives might not be fully understood, however what they find might shock and surprise you. Personally my fear is that in the coming years cyber extortion via legions of mercenary hackers will prove to be a far more lucrative than a few thousand credit card numbers!