Beyond the Sony hack: How companies can clamp down on cyberattacks
Data breaches are on the rise, but cybersecurity experts say employees and companies can still make broad changes to cut back on hacks.
A surge in cyberattacks this year has surely rattled both businesses and the consumers they depend on. But don't let fear rule the day: there are ways for executives and employees to lessen the chances of their companies becoming the next Sony, Home Depot or eBay.
Some changes are obvious, but need repeating -- such as telling users to change their passwords after a hack. Other efforts are much harder to do and often require years of concerted work to shift the mindsets of leaders and workers.
"Cyber risk is exponentially increasing, and the solution -- there's no silver bullet -- it's a culture change," said Bob Cattanach, a partner specializing in cybersecurity at international law firm Dorsey & Whitney.
Sony is the latest victim in a string of huge data breaches over the past year, with the tech giant joining the ranks of Target, JPMorgan Chase and others, in which millions of customers' passwords and personal information were stolen in a variety of hacks. The Sony breach -- which crippled the company's computer systems -- proved especially embarrassing, as thousands of leaked emails, financial documents and employee paperwork revealed the unvarnished inner workings of the company.
North Korea has been seen as a primary suspect in the Sony attack, since its Sony Pictures unit was planning to release the movie "The Interview," a comedy about two journalists' plans to assassinate the leader of North Korea. Sony on Wednesday said it canceled its release of the film, following threats made over the past few weeks, including promises to attack theaters screening the movie.
A Sony representative didn't respond to a request for comment for this story.
Cybersecurity experts say controlling corporate data will become even harder in the future as companies collect more information that's valuable to hackers and as the number of devices proliferates.
"We're clearly using more technology, and because we're using more technology, there's a bigger attack surface for them to target," said Brian Kenyon, chief technical strategist for computer-security software firm McAfee, which is owned by Intel.
There's been a huge spike in malicious software (or malware) and code over the past year, with about 100 million pieces of malware identified by McAfee over the past 12 months -- compared with about 200 million pieces identified in the previous two decades, according to Kenyon. He said the annual number may rise even higher in the next few years as everyday objects such as lamps, refrigerators and doors are connected to the Web, substantially increasing the number of targets to hack.
For employees, cybersecurity experts offer a handful of simple tips to protect both individuals and their companies. Change your passwords every few months and don't use the same passwords for both personal and work needs. Don't save anything you don't need. Avoid juggling several flash drives filled with important information, lest one get misplaced or stolen. Most importantly, don't disseminate anything you'd be embarrassed to see published publicly.
"If you don't want something spread all over the world, you just don't write it," said Betsy Page Sigman, a Georgetown University professor who teaches undergraduate classes in management-information systems and databases.
There is also the option of using password manager software, including LastPass or Password Safe. Kenyon said he uses at least 60 different passwords, but can copy and paste from a password manager.
Other preventions need to happen at the corporate level. Several cyber experts said companies need to do a better job segmenting their data so employees can only access the information they need, especially when dealing with a company's "crown jewel" pieces of data. "Even someone at the top of an organization doesn't need access to everything," said Tony Anscombe, senior security evangelist for anti-virus software company AVG.
It's also critical for companies to clamp down on sharing spreadsheets -- especially those that aren't encrypted -- instead using secured databases to access important information, Georgetown's Sigman said. In Sony's case, hackers leaked a human-resources spreadsheet filled with sensitive medical and employee information. "When you have spreadsheets, that gets out too fast and too easily," Sigman said.
Regularly monitoring data movement throughout a firm is also an important way of tracking unusual changes, such as a lot of information being accessed remotely or being pulled from company systems. "Rather than trying to look for a needle in a haystack ... you really should be looking at the haystack," said Maureen Kaplan, managing director of Verizon's information-technology security arm.
A regular email deletion policy can also help. For instance, Dorsey & Whitney's Cattanach said his firm erases every single email after 90 days.
Over the past year, cyber security has become a top priority for most company executives and boards, cyber experts said, as several big attacks have affected millions of consumers and become front-page news in the process. While these attacks have been difficult to deal with, they could result in more companies taking the needed actions to cut back on future attacks, even if the tighter controls slow down or interrupt a company's way of doing business.
"Gradually, you're going to see ... an appreciation for a culture change," Cattanach said, "but it's not going to be like flipping on a light switch."