There’s been a lot of coverage recently around Sony Pictures and the hack attack which has placed Sony in the headlines for all the wrong reasons, with high volumes of sensitive company data stolen and posted online.
While Sony has been targeted in the past, it has also worked to improve its digital infrastructure security in recent years. This catastrophic attack on Sony Pictures, has sparked a lot of debate as to the source of the attack and how it was achieved, with the conversation now expanding to legal concerns and calls to media to stop publishing hacked documents. It provides a timely reminder to all, that any infrastructure is vulnerable to a well-funded, determined attacker.
Here are a few basic security strategies businesses can use right now to help avoid these incidents.
The end user is the new perimeter: Traditional security approaches have focused on establishing firewall perimeters and then layering security applications and endpoints inside of them in hopes of segmenting users and data. The security conversation has moved to a newer model – focused on identifying critical data, understanding that users must access that data on mobile and determining what controls, policies, and technology need to be used to protect the data, regardless of the device. This is a completely different paradigm. Enterprises now find that hybrid approaches that combine best-of-breed cloud solutions with established infrastructures enable the means to secure the data in the hands of the user rather than just behind the firewall.
Devalue the data: Companies must architect sensitive systems to make it economically infeasible for hackers to go after the company data. That means segmenting data depending on classification, who has access to it and creating encryption mechanisms so that even if a hacker identifies one variable, it almost impossible to get at the aggregate. What companies must remember is that the value of the data goes up exponentially as the ease of access to it does. Segmenting data based on a number of different criteria across thousands of employees across the globe and multiple devices per employee, not to mention growing audiences of partners or freelancers that need access to sensitive data, is hardly easy, but it’s become a necessity in minimising risk.
Recognise strengths and weaknesses: Sony is in the business of making movies. They’re not in the business of security. All companies must recognise what they’re good at – and what they’re not. It’s not enough to hire some security consultants, build some proprietary software and expect to be bulletproof. Large companies are realising that leveraging security-as-a-service solutions can not only help achieve data segmentation, but enable solutions that are better than what they can build or manage on their own. That’s why companies like FireEye, Okta and Skyhigh Networks are growing so quickly and will only continue to do so.