The big lessons from the Sony breach are that businesses need better planning and to shift security investment away from trying to protect the network from attacks and toward quickly detecting and dealing with breaches, Gartner says.
That means hiring staff to deal specifically with that type of exploit, which Gartner gives a new name: aggressive cybersecurity business disruption attacks.
+[Also on Network World: U.S. on Sony breach: North Korea did it; Worst security breaches of the year 2014: Sony tops the list]+
It also means training employees to use digital media safely, and may require investments in network architecture changes, encryption and tools such as endpoint threat detection and remediation platforms, Gartner says in a new report "Attack on Sony Pictures is a Digital Business Game Changer."
The report says the Sony attack is a wake-up call. Because of the scope of damage this type of attack can wreak, businesses need to update their business continuity plans to pull in expertise beyond IT and security departments to include legal departments, human resources, corporate communications, and public relations. It should also include outside interests such as law enforcement and network service providers.
"Although the frequency of an attack on this scale is low, the attack's disruptive scope on business operations should be examined by CISOs, [chief risk officers] and [business continuity management] leaders to inform future planning and execution," the report says. "Security risk management is not new but it has new urgency."
Gartner expects that businesses jolted by what happened to Sony will be quick to respond. While today no large enterprises have plans for dealing with aggressive cybersecurity business disruption attacks, within three years, 40% will, the report predicts.
Specifically, the report recommends that those plans include expanding current attack-response to include an incident response manager trained to deal with all the parties that come into play when dealing with the aftermath of such attacks.
The analysis of business impact should include not only IT services and business processes but also a social media plan for controlling damage to the organization's reputation, Gartner says.
Gartner strongly recommends against striking back as it may risky and illegal.
As for IT recommendations, businesses should use endpoint threat detection and remediation tools and the expertise to analyze the data they collect. These systems gather data about behavior of individual endpoint devices and in some cases analyzes it as well as takes steps to contain damage.
With damage control in mind, networks should be segmented to help contain incursions when they are discovered. This should be done rapidly with the idea in mind to isolate areas that have been compromised. Deciding whether to cordon off an asset should be its value and the requirements employees have for accessing it. Use of encryption should be increased, Gartner says.
Penetration testing should look at IT and non-IT business processes, and should include how vulnerable the organization is to social engineering.
Training employees in safer behavior is a must. "People will not change their behavior unless they have motivation to do so, and organizations must generate that motivation in a positive, consistent and persistent manner." They should be motivated to use digital media safely, and perhaps people-centric security is in order, the report says.
"The rise of ubiquitously connected devices and the Internet of Things has expanded the attack surface, and commands increased attention, larger budgets and deeper scrutiny by management," The Gartner report says. "Security is not a technical problem, handled by technical people, buried somewhere in the IT department. ... Risk-based decision making requires improvements in non-IT executive communication and engagement."