StrategicRISK’s editor-in-chief Sue Copeman considers what it means when a global giant falls foul of increasingly adept hackers, despite there being seemingly rigorous protection in place

Following hackers obtaining some 70 million gamers’ personal details from its PlayStation Network recently, Sony’s chief executive apologised for the security breach and said that there was ‘no confirmed evidence’ that credit card details or other personal information had been misused. A later report suggested that hackers may have stolen the personal information of 24.6 million Sony Online Entertainment users, with more than 20,000 credit card and bank account numbers put at risk.

The company has been criticised not only for its lack of security but also for failure to alert customers immediately. Apparently it now plans to cover each video games user with a $1m identity theft insurance policy. I wonder which insurance company is prepared to cover this risk? Could it be Sony Corporation’s own Bermuda-based captive PMG Assurance? The risk would hardly seem attractive to conventional commercial insurers.

Where there’s a will, there’s a way

Sony is blaming members of the ‘hacktivist’ group Anonymous for the episode, calling it retaliation for action that Sony took against a hacker in a US court in January this year. But that really isn’t good enough. Who did it and why they did it is immaterial. The crucial point is that they were able to do it in the first place.

A number of technology security companies have responded to the news of the Sony debacle with comments suggesting that current corporate security defence strategies are no longer enough. They are clearly right. But do any of them actually have the definitive security answer?

Sony is ranked among the world’s top 100 global companies. If a company that big can’t protect its online customers with the aid of the big bucks that they can pay consultants, what hope is there for smaller businesses?

Unfortunately for them, the Sony story followed news that Epsilon Interactive, an email service provider with hundreds of clients such as Best Buy and JPMorgan Chase, suffered a data breach, potentially compromising millions of names and email addresses.

I spoke to a self-confessed hacker, who said he does it “for fun”. He doesn’t steal, he doesn’t stage ‘denial of access’ attacks on websites, but he knows how to do it and he’s in touch with other people that do. He estimates that 90% of websites are easily hacked into. The exceptions are those belonging to governments and financial institutions, he says.

Ensuring cyber security

So what are the risk management lessons here? As someone who is certainly no expert in technology, I would suggest some common-sense rules.

First, talk to your IT people about passwords and security. For example, don’t let them accept the standard mother’s maiden name as a security check. Anyone who has access to a customer’s name and date of birth will be able to get that information with not too much digging at a genealogy site.

Secondly, look at the kind of security measures that banks are employing. Card readers that issue a different access number every time a company card is inserted seem to be pretty failsafe.

Your company may have to undertake some customer education. I talked with the risk manager of one large European store chain who said that customers were generally not concerned about data security when they entered credit card numbers online. If they wanted to buy something, they were happy to assume that the website was safe.

This attitude is very likely to change in the next few years as more and more people learn a hard lesson. But in the meantime if something goes wrong, it’s your company that will get the blame and your business’s reputation that is on the line.

There’s a need to balance ease of transaction for customers with providing them with a secure transaction platform. Don’t let your company be tight-fisted when it comes to proposals relating to protecting your customer base. Customers are the life blood of a business.

Don’t ignore the threat from within. Discussions that I’ve had with risk managers suggest there is very little monitoring when it comes to joiners and leavers of the company. Could someone within your business be leaving with the details of your client base on a memory stick tucked in their back pocket? If that’s possible, you need to do something about it, fast.

Finally, if something does go wrong, let your customers know as soon as possible. This gives them the chance to cancel credit cards and be alert to any possible identity theft.

We can assume that Sony had all the firewalls and safety nets they believed they needed to protect their sites. That didn’t work. Hackers are proving far more intelligent and resourceful than the consultants that many businesses employ to safeguard against them, so precautions are vital. SR