Sony Pictures lessons for Small Business

SonyPicturesThe Sony Pictures network breech has lessons to be learned for small business. Sony’s corporate network allowed access to Internet sites around the world. Malware that caused the problem communicated with control servers in Bolivia, university in Thailand and on a network at the St. Regis Bangkok. From the FBI press release about the Sony Investigation “the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.” Does your business attempt to stop communication between your network and North Korea?  Sony Pictures did not have this foresight. Having controls of where Internet traffic is allowed keeps your business information safer. Reviewing your Internet traffic also helps you understand what your employees are doing with their time at work.

High speed Internet connections allow you to find great information in seconds, but unlimited access to the whole world is not necessary to make your business run effectively. Everyone needs to process credit and debt card information, but do the machines that process card information talk only to the processor or do they talk to anyone that asks for a connection? Simple restrictions can make a big difference. If you have a retail Internet gateway the default installation will allow access from your network to any place in the world. Freedom is great but with the amount of Internet traffic significant information can be lost. Last year’s breech at Target had 60,000 alerts about the intrusion that were lost in the noise of information overload. Restricting where you can go on the Internet does cause some problems. On client could not order sugar free candy from Amazon because the web destination site was in Switzerland. This caused a few emails and phone calls, but this candy was ordered and the access was closed after the transaction.

Next generation firewalls can restrict, collect and summarize what is flowing in and out of your business. Microsoft’s free program EMET should be loaded on each Windows system to impede access to your computers. Keep your Mac and Windows machines up to date with software patches. Use protection software at the computer to fend off attacks. Do not open suspicious email or attachments. Use a password manager to keeps complex unique passwords for every site and application. Your sensitive information should be encrypted. Regular backups should be done and stored in multiple locations. Sony Pictures Entertainment was hit with a strain of malware designed to wipe all computer hard drives within the company’s network.  Restoring the information will occur after the investigation concludes.  What would this cost your business? All new machines to run the company until the forensic analysis is complete?

One ounce of prevention is worth a pound of cure. Jason Spaltro, currently Sony’s Senior VP of Information Security, told CIO Magazine following an earlier hack of Sony’s servers: “It’s a valid business decision to accept the risk…. I will not invest $10 million to avoid a possible $1 million loss.”  Sony Pictures had internal servers and computers taken over and gigabytes of information stolen. The $60 million dollar cyber insurance policy that Sony has may not cover the costs of this problem, How much cyber insurance does your business have?

IBM data loss study released this summer showed each lost record cost a small to medium business $62 in direct costs and $141 in indirect costs. This was for small business losses of less than 100,000 records. A Cyber insurance policy should only be necessary if your business is connect to the Internet.