Skip to main content

On the Sixth Day of Privacy, the hackers gave to Sony......

many more than six different hacks.......and headaches......

Written by Jonathan Ursprung

With the holiday season in full swing, many of us are struggling with that age-old question: "what do you get for the person who has everything?"  Well, if that person happens to be your supreme leader, the answer may very well be "a massive download of electronic dirty laundry on their sworn enemy".

In late November of this year, the disturbing outline began to form of a massive data breach at Sony Pictures. Early indications suggested that the perpetrators may have been acting on behalf of, or to curry favor with, Kim Jong-un of North Korea; Sony Pictures had been promoting its upcoming film "The Interview", which features a fictional assassination plot targeting the head of state. While North Korea has since denied involvement, the possibility that state-sponsored hackers had carried out this attack was both credible and, ultimately, unsurprising.

News reports of government-backed hacking plots have been circling the Internet for years. A NATO timeline provides a brief overview of attacks by hackers operating under the auspices of various governments. North Korea makes that list, along with its northern neighbors, China and Russia, and its fellow "Axis of Evil" nation, Iran. Rounding out the list are the United States and its ally Israel, whose intelligence agencies are generally believed to have been involved in the creation and distribution of the Stuxnet worm. It is inevitable that, as more and more of life is conducted online, the focus of governmental scrutiny is increasingly fixed on virtual activity.

The fourth quarter of 2015 has seen an increase in media attention on government hacking. The Sony Pictures story of a powerful dictator's devotees driven to extreme lengths to reclaim his honor was, unfortunately, too good to be true. But bookending that story have been those of Google warning users of possible state-sponsored attacks from the Middle East in early October and the FBI warning American businesses of Iranian attacks just this past week. And although the Sony Pictures - North Korea link fizzled, a February attack on Las Vegas' Sands Casino does appear to have been carried out by supporters of Iran's rulers in response to Sands' owner Sheldon Adelson's remarks about Iran's nuclear program.

So what can businesses do to reduce the risk of state-sponsored data breaches in 2015? The short answer is to implement the tried-and-true data security and privacy practices and procedures that have been proven to reduce risk of all data breaches, regardless of source. Some state-sponsored hackers may have more tools at their disposal than private attackers (notably, for example, the NSA's backdoor decryption key for RSA), but ultimately they are all working from the same playbook: exploit known weaknesses. While no solution can guarantee safety 100% of the time, applying best practices will close off the most common avenues of attack and make your business a less appealing target for any attacker. And, should disaster strike, a little preparedness goes a long way in reducing response and recovery time.

A key 2015 question:  what is your company's records management and retention program and (if you have one) how effective is it?   The Sony tale should be incentive enough. If you need more reading (or ammunition for that RIM program):  here, here and here (registration may be required).

Further, as a belt-and-suspenders precaution, you may wish to guide your firm away from hiring Seth Rogan and James Franco to star in this year's corporate retreat video.

 

Subscribe To Viewpoints

Author

Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.