Whoever hacked Sony Entertainment at the end of November changed information security forever.
Where once hackers had been most concerned to gain access to the honeypots of credit cards and bank accounts, this theft had a different goal, one that became clear with the steady release of Sony’s most intimate secrets throughout December.
This wasn’t about money. This was all about humiliation.
We now know way too much about the inner workings of one of the ‘Big Four’ film studios. The magic of cinema looks weak and ugly under close examination. Everything that once seemed lofty and businesslike has been exposed as little more than high school politics and juvenile name-calling. In the back of our heads, we wonder if the rich and powerful talk always trash outside the spotlight. Is Sony the exception -- or the rule?
Sony Pictures Entertainment co-chairs Amy Pascal and Michael Lynton come out of this looking particularly bad. Tucked within a cache of terabytes of stolen data, emails detail the pair trash-talking about everyone from Barack Obama to Adam Sandler. In a twist of fate worthy of a movie, the cry “You’ll never work in this town again!” may suddenly apply to two of Hollywood’s most powerful, stripped down to their most confidential secrets.
Although Sony Pictures Entertainment maintains prodigious security precautions for its physical facilities, to keep intellectual property from walking out the door (Sony’s Culver City studios have been called ‘a fortress’), the same security seems to have been lacking for the studio’s digital assets.
For a business that generates the entirety of its income from intellectual property, this seems quite a substantial miss. Over the last twenty years, intellectual property has been digitized as a matter of course. It exists in physical form today only when someone can be bothered to print it. Everything that makes money for Sony is a digital asset.
If Sony were JPMorganChase or another large financial institution, their risk management and security analysts would have those assets squirrelled away deep within digital vaults, air-gapped against any possible network intrusion, access strictly limited on a need-to-use basis.
While that solution might please the insurers, a film studio isn’t merely a vehicle for monetizing intellectual property. Studios create intellectual property, and in the 21st century that requires a free-flow of information: scripts, drawings, production notes, schedules, contracts, etc. All of it goes over the network, all of it ending up up on drives and email inboxes, all of it becoming more and more valuable, and, for that reason, all the more tempting.
The Sony hack exposed the central dilemma of many 21st century businesses - an organisation's strengths as a creative engine of intellectual property create ever-greater vulnerabilities. Businesses bravely knock down the silo walls to keep the ideas flowing, leaving themselves open to invasion.
In early January, Sony Pictures Entertainment advertised for information security specialists - better late than never. The other studios must already be reviewing their information security policies, looking for obvious weaknesses. Post-Sony, the whole industry has grown more cautious. For a time, the security consultants will rule. Ideas will flow more slowly - and more securely.
Over the next decade, the security pendulum will swing back and forth, as business try to balance the power of the networked organisation against the weaknesses it creates. There is no one right answer for information security, just an answer that’s right enough for a given business at a given time.
Much of that answer will not be driven by the businesses themselves, but by the entities that insure them. Businesses in every sector will be looking for coverage against the losses due to the theft of corporate secrets. Insurers will mandate audits and inspections and best-practice behavior as the price of coverage, just as they do today for a bank or jeweller.
If Amy Pascal loses her job heading Sony Pictures Entertainment, her credibility fatally damaged by an unending stream of private moments made public, who is liable? Pascal surely believed Sony would take appropriate precautions regarding her private business correspondence. If the theft and publication of that correspondence renders her unemployable, wouldn’t Pascal have grounds for a massive lawsuit against her former employer?
Such thoughts must be afflicting minds of most of Sony’s major shareholders. They’ll take that affliction and share their concerns across the other businesses they own. They’ve seen a business and its executives destroyed by hackers, and will do almost anything to prevent it from happening again. Sony changed everything. ®