Over the Christmas and New Year holidays I attended a few parties and I was asked by a few people what I thought of the “Sony Hack.” This was refreshing, not only because I am usually asked to fix their computers, but also because it signaled to me that this may be a “tipping point” in the public’s awareness of security issues. In the subsequent conversations I discovered that people were interested in three things:
- Was it a foreign power, and if so were we really under a new type of attack?
- Was someone trying to steal movies?
- How could a company like Sony have their systems compromised – and is Facebook next?
Now, I have read most of the information and reports that are surfacing about the attack, and to me it seems that this is indeed the attack that will raise the level of awareness of computer security to a point where companies and governments will begin to take action. Politicians are pretty predictable in that when a public becomes aware they begin the discussions and take positions on what to do about both retaliation and protection. I think we have to worry about something else, however, in light of the velocity of the attacks.
Some sources have indicated that the U.S., and other powers large and small, are actively probing each other’s defenses and that the Sony attack was just that, a probe followed by an exposure to determine the impact of such an attack. The sorry fact is that the compromise of a company’s private information is an effective way to create uncertainty in the market and that in turn creates an impact on stock prices.
There have been a number of high profile attacks this past year and an NBC report summarizes the significant ones. As I read this article however, the attack that caught my attention came from the Syrian Electronic Army (SEA). Now, this “small group” (by U.S. standards) was able to compromise a Twitter account and post false messages that resulted in a brief dip in the market which erased $200 billion in value. It does not take a complex infrastructure to mount an attack, but it does take a small group of people with determination, some expertise, and a goal.
I think that these attacks will escalate – and we, as a nation, need to invest in protection systems for preventing attacks, identifying perpetrators, and taking a standard retaliatory stance. The problem is that governments will take a long time to come to these agreements. It is up to individual private and public companies, both large and small, to invest in proper security measures to protect their investors and their customers. Companies to date have been unwilling to take on the needed investment to properly safeguard their data and to keep those safeguards not just current, but also state of the art.
I feel that if the boards of these companies do not heed the signs that even the general public is now aware of, they may be found remiss in protecting their company assets. Protection of customer data should be the first priority, and second should be the protection of the company’s private data. These tribes of hackers will seize a target of opportunity because they have the skills and the time to probe thousands of companies’ defenses.
I fear that these attacks will eventually be coordinated to the point where we will see several happening on a specific day, and the financial impact and public confidence will be dramatically affected.