Sony Hack: Business Continuity Lessons
Disaster Recovery Plans Must Address Cyber-Attack RisksNew comments from the CEO of Sony Pictures Entertainment about the film studio's response in the immediate aftermath of a massive cyber-attack highlight the need for all organizations to ensure their business continuity plans specifically address cyber-attack risks.
See Also: Forrester Top 35 Global Breaches Report: Balance Defense with Defensibility
In a new interview with the Wall Street Journal, Sony Pictures CEO Michael Lynton says that following the attack, senior executives developed a communications network using a phone tree where updates on the hack were relayed from one person to another.
Because computers were down, Sony was forced to use cell phones, Gmail accounts and notepads to keep operations going, the CEO told the Journal. The payroll department used an old machine to cut paychecks manually, and old BlackBerry phones were repurposed for use within the organization in the aftermath of the attack, according to the report.
"It took me 24 or 36 hours to fully understand this was not something we were going to be able to recover from in the next week or two," Lynton says in the interview.
Lessons Learned
"The level of destruction wrought by this malicious attack against Sony was unanticipated, and I doubt many companies could respond better than Sony did," says Shirley Inscoe, an analyst at the consultancy Aite Group.
Most companies focus on likely disaster scenarios in crafting their business continuity plans, Inscoe says. "For example, a data center may be brought down by a natural disaster, so they have backup plans to move the functionality to another site until the problem is cleared," she says.
But in the wake of the Sony incident, planning for all computers to be rendered inoperable by a massive cyber-attack must be part of any organization's business continuity effort, Inscoe says. "I suspect many professionals responsible for disaster recovery are watching and studying what happened to Sony very carefully so they can add specific scenarios to cope with such a situation to their recovery plans," she says.
It's clear Sony didn't have a proper plan in place to ensure the necessary technology was available to employees following the attack, says Alan Berman, president and CEO of the Disaster Recovery Institute. "Did they have the backups they needed?" he asks. "How do you run with limited technology?"
While Berman says it's still too early to make a judgment based on the Sony Pictures case, he says it's obvious the studio wasn't planning for an outage of this kind. "What we're learning from Sony is what we've supposedly learned from Target and [others]," Berman says. "We really do need better security. We need better sharing of knowledge, which doesn't take place."
Joseph Loomis, founder and CEO of CyberSponse, an incident response automation company, says organizations working to ensure they can prepare for a cyber-attack similar to Sony's should back up critical systems on a scheduled basis, separate from their main network, and run simulations as to how the company would respond in the wake of an attack.
A group that calls itself Guardians of Peace, or G.O.P., has claimed credit for hacking Sony, stealing and leaking corporate data, as well as unleashing the Nov. 24 "wiper" malware attack that erased and "bricked" an unknown number of Sony systems. Since then, the FBI has attributed the attack to North Korea, saying the government was responsible for the theft and destruction of data on the network. But others say the hack may have been the work of a small group that included at least one former studio employee (see: Sony Hack: More Theories Emerge).
Sony Hackers Threaten Media
In related news, an FBI bulletin obtained by The Intercept - a news publication launched by journalist Glenn Greenwald, who also published the leaks of Edward Snowden - claims that the hackers responsible for the Sony attack also threatened to hack an American news media organization.
The bulletin, which discusses information on the cyber-intrusion at Sony and related threats concerning the release of the movie "The Interview," says the same threats were also extended to a news media organization "and may extend to other such organizations in the near future."
According to the FBI bulletin, on Dec. 20, the Guardians of Peace posted Pastebin messages that specifically taunted the FBI and the unnamed news media organization for the "quality" of their investigations, while implying an additional threat, the Intercept reports.
The bulletin says the FBI and Department of Homeland Security are not aware of any credible information indicating a physical threat, according to the news report.