Sony Pictures has admitted it was unprepared for the nature and extent of the cyber attack that hit the company in November 2014.
Chief executive Michael Lynton described the firm as a “canary in a coal mine” in an interview with Associated Press.
“There's no playbook for this, so you are, in essence, trying to look at the situation as it unfolds and make decisions without being able to refer to a lot of experiences you've had in the past or other people's experiences. You're on completely new ground,” he said.
Lynton said Sony Pictures was “adequately prepared”, but could never have predicted “an attack of this nature”.
He also claimed that the FBI told him 90% of other companies would have fallen as a result of such an attack, according to Reuters.
Standard disaster recovery planning
But some information security commentators have dismissed these statements as an attempt at controlling the damage in the light of potential legal action by those affected by the breach.
Sony Pictures should have been better prepared and should have detected such a large data loss, according to security expert Brian Honan of BH Consulting.
“It is hard to understand how more than 100TB of data would leave someone's network undetected,” he told the BBC.
READ MORE ON DATA BREACHES
- Rich Mogull's Data Breach Triangle: Rethinking data breach prevention
- US State Department bolsters email security after suspected breach
- Spotify warns of data breach
- JP Morgan breach affects 7 million small businesses
- Home Depot under fire for data breach notification
- US military logistics arm breached by China-linked hackers
- Breach response plan is a must for enterprise security
- Best practices for security data breach reporting
- Finance and retail applications most vulnerable to breaches
- Courier firm UPS warns of potential data breach
- Staples breach update: Cyber insurance may cover retailer's costs
- US supermarket retail chain Supervalu reports cyber breach
- Most businesses do not understand risks of data breaches, study finds
- Home Depot security breach: Losses include 53 million email addresses
- UK micro businesses unprepared for data breaches, study shows
Initial analysis of the attack showed that Sony Pictures could have been better prepared by encrypting all sensitive data, by keeping passwords separate from password-protected documents, by using two-factor authentication, and by keeping sensitive data separate from other data.
The attack disabled computers, and employees found that they had lost all past email, contacts, distribution lists, budgets and anything else stored on the network.
Lynton has now revealed that email systems are expected to be restored only this week and that the computer network may take up to six weeks.
Information security commentators say these are two key areas that Sony Pictures should have been prepared for as a standard part of disaster recovery planning.
Preventing another Sony hack
While Sony Pictures may get away with insisting there was no way it could have been prepared for this kind of attack, no other companies in future can play that card.
The attack on Sony Pictures proves that regardless of who is behind such attacks or what their motive may be, the threat is real and organisations should be planning their cyber defences accordingly.
Another lesson to be learned from Sony Pictures is the value of cyber insurance. According to Lynton, the costs of the attack will be completely covered by insurance and will not mean any more cost-cutting.
“I would say the cost is far less than anything anybody is imagining and certainly shouldn't be anything that is disruptive to our budget,” he told Reuters.
While the cyber attack may have the positive effect of getting more organisations to take the cyber threat more seriously and ensure they have adequate defences in place, civil liberties groups have expressed concerns that the attack has also led to the resurfacing of the controversial Cyber Intelligence Sharing and Protection Act (Cispa) aimed at helping companies and the government share information on cyber threats.
Democrat US Representative Dutch Ruppersberger has re-introduced the bill to the House Intelligence Committee under the auspices of preventing another Sony hack, reports Gizmodo.
The White House has threatened to veto Cispa in the past, so is unlikely to support it the second time around, but president Barack Obama is to highlight plans to protect US consumers and businesses from cyber threats in his State of the Union address on 20 January.
A White House official said Obama will announce legislative proposals and executive actions that are aimed at tackling identity theft and privacy issues, cyber security and broadband access, reports Reuters.
On 12 January, Obama is expected to present plans “to improve confidence in technology by tackling identity theft and improving consumer and student privacy” in a visit to the Federal Trade Commission, the unnamed official said.