Important Lessons for Small Business from the Sony Hack

Sony was the victim of what some are calling one of the worst hacks in history. The massive data breach exposed the spending on recent movies, the salaries of employees, social security numbers of employees, leaked movies, passwords to accounts, and embarrassing internal memos. Overall, hackers got away with stealing 100 terabytes of data.

As you can imagine, Sony is going to suffer some major repercussions such as employee morale, lost movie ticket sales, and heavy fines to name a few. Though Sony is a major corporation, small businesses can also learn from this data breach.

Initially, blame was placed on North Korea for the hack, (In the plot in a new Sony movie, ‘The Interview’ the two main characters are sent on a mission to kill North Korean leader, Kim Jong-un) however, reports show  that is most likely not to blame. Because of the amount of detail released in the hack, it is believed a Sony employee, past or present, at some level, worked to expose the data alongside another group. Most news sources are reporting that hacker group as “Guardians of Peace.”

With over 149,000 employees and millions in revenue, Sony is an obvious target for hackers. Why would your small business be a target of a data breach? Though your business is nowhere near the size of Sony, your internal data is still precious, and threats such malware and disgruntled employees can destroy or expose it.  The problem doesn’t lie in the size of your business but rather the security within your business.

Here is what you can learn from this data breach:

Permissions and Privileges:

It would appear that many employees at Sony had access and permissions to folders and/or servers that they shouldn’t have had. If that is the case, these elevated privileges provided an expanded view of data for those that illegally gained access.

What you can learn from this: Limit user privileges to narrow the field of view while still allowing employees to do their job. Conduct a security audit at your business and determine who truly needs to access what.

Storage and Passwords:

Sony’s password protected documents were allegedly stored in the same locations as passwords that were required open those same documents. To add insult to injury, many of the leaked passwords are very weak. Even if the passwords were stored properly, there is a good chance passwords could be bypassed due to their weakness.

What you can learn from this: Storing passwords and documents in the same place is like leaving the key to your front door in the lock. Store information and passwords in separate locations. It is also a good idea to use a password management system. To test the strength of your passwords, use tools such as http://www.passwordmeter.com.  Especially for the most sensitive of information, consider using 2- step authentication as well. With this, users enter a password; they then receive another step of verification, such as a unique code sent via text message to be entered, to access what they need.

Security of Financial and Healthcare Information:

Payroll, HR and health information was leaked as a result of the hack. Because of this, Sony will likely face investigations from various industry regulators such as HIPAA and the IRS. Major news sources suggest that this leaked information was not stored to the standards of these regulatory agencies.  For instance, this sensitive data appears to have been stored in the same directory. If this is truly the case, Sony will be expected to pay heavy fines for improperly storing this information.

What you can learn from this: Make certain that your health and financial information storage is compliant with federal regulations.

As the Sony story unfolds, we will learn more about the repercussions and costs of the theft. One thing is certain, this incident has put a smudge on the Sony brand name, it will likely spawn compliance investigations and legal proceedings and it has left many of their employees upset.  How much of this would your small business be able to weather?   

Posted on December 12, 2014 and filed under Business IT, Computer Security, News.