Last year’s cyber attacks on Sony Pictures have demonstrated how internet security is now, more than ever, a worldwide issue that can no longer be ignored by organisations.
This story also highlights the resources and sophistication behind such cyber attacks, leading to the suggestion that companies should stop worrying about keeping the bad guys out and focus on damage control.
Sony’s reputation has taken a huge hit, and the industry giant stands to lose out financially too, now that it is the subject of a class action lawsuit by employees who claim the company failed to protect their data from "law-breaking hackers".
The lawsuit in particular is a watershed moment: it has been clearly demonstrated that individuals have rights around what happens to their information – and organisations need to understand and respect that. There is no excuse for organisations to ignore the protection of information and cyber security.
Even if this lawsuit fails, the precedent has been set and there will be others. If the lawsuit succeeds, then every business will have to face the fact that doing nothing is no defence.
As for the claims that companies would be better to think about damage control, the reality is we need both the hurdles to keep the wannabes out and a strategy to deal with those that are good enough to get over them. Companies need to be smart about where they put their resources and demonstrate that they are being responsible, particularly in the face of potential legal action.
So what can organisations and business people do to better defend their employees and themselves?
- Be proactive
If you are the HR director, push for cyber security. It’s your job that’s on the line and it could be your department’s information that gets posted on the internet. Most importantly, you will find lots of support in your organisation for this, as it touches all directors’ fiduciary duties.
- Protect information
Talk to the cyber security and IT guys and get the technology in place. Do not hide behind the smokescreen that "security stops us doing our job". The fines and the cost of clean-up (Sony estimates $15m for this alone, excluding fines and legal costs) will be far more than the cost of security.
- Start to create a culture/awareness of security
Get people to take personal responsibility for the data they look after. It is vital that cyber security knowledge is widespread – and that knowledgeable champions are found in all places of an organisation and at all levels. Training and certification are one way to demonstrate your commitment to cyber security and to expand your workforce’s skills and knowledge.
- Individuals have rights about what happens to their information
Organisations need to understand and respect those rights.
- Privacy and security are intertwined
One relies on the other. Good cyber security provides a solid platform on which to build the technical aspects of privacy.
You do not need to be a geek to understand and apply the principles of cyber security – you need a mix of people with business, legal and cyber skills, knowledge and experience.
Understanding concepts such as privacy is just as important. That is why we at (ISC)2 have multiple credentials – CISSP for cyber security leaders, SSCP for IT professionals and HCISPP for individuals who work with sensitive data – and why we believe everyone has a part to play and to contribute to cyber security and privacy.
Adrian Davis is managing director Emea. for (ISC)2.