THE BLOG

The Significance of the Sony Pictures Attack

09/01/2015 16:50 GMT | Updated 10/03/2015 09:59 GMT

Unless you've been offline and haven't watched TV or listened to the radio for the last month and half, you probably know about the ongoing saga surrounding the security breach at Sony Pictures Entertainment. Following an attack on the corporation's systems late in November, the hackers published stolen data - including films, scripts (including the script for the next James Bond film), employee health care information and internal e-mails. The commonly accepted narrative is that the group responsible, the 'Guardians of Peace', is linked to the Democratic People's Republic of North Korea and that the whole nightmare scenario is connected to the release of a puerile comedy called 'The Interview' - a Hollywood film centred on the assassination of North Korean leader Kim Jong-Un.

Opinion is divided on who's responsible for the attack and the story seems set to run and run. However, in the case of targeted attacks attribution is very difficult to determine, since there are plenty of ways an attacker can cover their tracks. But there are two other things that I'd like to highlight.

The first involves business security. It's clear that Sony failed to learn the lessons from the attack on the PlayStation Network in spring 2011. For me, the issue is less about the fact that the company is once again on the receiving end of an attack. The bigger and more complex a company becomes, the harder it is to protect its infrastructure. For a global company like Sony, with many thousands of employees, using different devices and applications running on a variety of operating systems - security is a huge challenge. No system can be 100 per cent secure. So if an attacker is able to identify a vulnerability that provides them with a foothold in a company (and time and time again in targeted attacks human fallibility provides this foothold), they can extend their control to other parts of a corporate network. What's really striking in this case - as in the 2011 attack - is that so much sensitive data was inadequately protected.

The second relates to the threats made by the hackers (or those claiming responsibility for the attack on Sony) to launch terror attacks on cinemas that showed 'The Interview'. The threat from hackers of a real-world attack, potentially affecting the physical safety of the wider public, is alarming.

We live in a connected world and more and more aspects of our daily lives are becoming digital. So no matter how big or small an organisation is, everyone is at risk from a cyber-attack. This could range from a random, speculative attack to a more sophisticated targeted attack. There are things we can all do to avoid jeopardising our own security of the organisation we work for. These include encrypting private data, creating unique, complex passwords, securing devices and networks and using only trusted Wi-Fi networks for confidential transactions. The message here is that we all need to be vigilant.