As his reaction to the ongoing news around the Sony hack and the fact that the company is facing two law suits from staff who claim Sony did not take adequate security measures to protect their datat, Philip Lieberman, CEO and President of Lieberman Software Corporation writes:
“This attack represents a worst case scenario where every machines and asset owned by Sony that was connected to their network was compromised and made available to a hostile outside group. Effectively Sony lost the ownership of their company to an outside group due to poor security and this outside organization decided to terrorize their employees and damage their assets as well as humiliate them in private and in public as a demonstration of their power.
The situation of public humiliation is unprecedented, but the total loss of control of an organization is common in both the USA and around the world. The common cause of the problem is a lack of understanding by CEOs as to their role in cyber defense and their delegation to others in the organization of this responsibility, but without the power to operate effectively.
This scenario will play out again and in even worse forms.
The lawsuits against Sony for lack of reasonable care for security of its employee personal information has significant legs to it. Sony was capable of protecting the sensitive data in question (or at least minimizing the amount of data lost), but purposely chose not to do so for cultural and financial reasons. It will be very difficult for them to defend themselves against these lawsuits since their competitors were well able to sustain themselves against the same attacks (coincidently using our technology).
Kevin Mandia’s quote (for Sony, it looks like a ‘get out of jail free card’) that the attack and its consequences were unprecedented and could not be defended against ring hollow, were self-serving and factually incorrect – they were foreseen (they are part of a well-worn pattern), are regularly rebuffed, and the consequences could have been minor. If anything, the need for expensive mitigation by Mandiant would not have been needed had Sony used appropriate technology to secure administrative credentials. Should Sony not deploy a robust privilege identity management system, they will be a repeat customer of Mandiant or another remediation company.
These lawsuits are the beginning of a groundswell of litigation that will pit corporate CEOs against the public where they will have to defend their behaviour of reduction of IT costs vs. taking reasonable care in the handling of their security. This is also a failure of the US Government to provide clear guidance to private enterprise as to what is “reasonable care” in IT security.
Up until now, many CEOs felt comfortable with a friendly IT audit report in their pocket combined with third party cyber-warfare insurance, while keeping up the constant drumbeat of ever greater reductions in IT operation costs. If there is no clear guidance on ‘what is enough’, apparently ‘nothing much’ has been the IT security strategy of many companies.
Sony’s board of directors will uncover the incompetence of the IT audit firm used by the company that completely failed to surface these issues prior to the attack. No doubt that Sony will add their audit firm to the lawsuits and most likely their auditing firm will end up paying the price of these lawsuits and others yet to come based on gross negligence on their part.”