Enterprises must learn from Sony's security mistakes

Sony

COMMENT You might have thought that a large enterprise such as Sony, having suffered a very high profile and therefore highly embarrassing (not to mention brand damaging) security breach earlier this year, would have done everything it could to ensure there could be no further shocks for its customers.

You would have been wrong though, if the news that Sony has locked down 93,000 online accounts is anything to go by.

It would appear that a number of unauthorised access attempts had been registered earlier this week, over a three day period, which succeeded as far as verifying the valid sign-in information for more than 90,000 accounts concerning Sony Entertainment Network, Sony Online Entertainment and PlayStation Network users.

What a shame that Sony hadn't taken the time during the five or six months that have elapsed since the original data breach... to re-evaluate security holistically.

Although the fact that Sony reacted reasonably quickly to the hack attempt might sound like good news for the entertainment giants, coupled with no credit card information being put at risk this time around, I'm not convinced that's the case.

Sony is being pretty quick to assure anyone who will listen that the breach came about from using data lists obtained from compromised external sources, as in other companies and not Sony itself. It is being equally timely in stating that all the accounts concerned have been locked until a full investigation into the actual extent of the unauthorised access attempts has been completed.

Users will be asked to change passwords, although once again Sony is taking the opportunity to try and mitigate brand damage by pointing out that it was but a "small fraction" of the 93,000 accounts which had logged any kind of activity before being locked down.

What a shame that Sony hadn't taken the time during the five or six months that have elapsed since the original data breach and the secondary one that followed soon after to re-evaluate security holistically. If it had done that then perhaps it would have understood that the old enterprise security paradigm of 'encrypting critical business data balances the risk equation' is no longer enough.

Hackers are no longer just interested in your financial information, credit card data and the like, they are interested in everything because everything has a value. Increasingly this means an interest in what you might call 'social data' that you hold about your customers.

"To ensure maximum security, organisations need to encrypt all data, including the information they exchange and store with external IT infrastructures, such as business partners, cloud providers and other third party organisations," says Mike Smart from SafeNet. "This will significantly reduce the potential damage to the business and the customers in case of a security breach and will restore trust in consumer privacy."

Unless Sony, and indeed you for that matter, adopt a more holistic approach whereby data is encrypted at every stage of the lifecycle then this is not going to be the last time I write about trust-tarnishing, brand-damaging breaches such as this.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.