Bangkok--25 May--Frost & Sullivan
By Tetsuya Niihara, Industry Analyst, Frost & Sullivan
What Happened?
The first incident occurred on the 26th April 2011, when SONY announced that personal information had been compromised on their Internet service delivery networks, the 'PlayStation Network (PSN)'as well as image and music distribution service 'Qriocity'. A total number of 77 million users had their personal information such as user name, ID and online password stolen.
A week later, on 2nd May 2011, a second security breach happened with a different SONY network. This time round, the target was the 'SONY Online Entertainment (SOE)'network and the compromised figure of data loss hit 24.6 million users, of which 12.3 million had their credit card information stolen.
Shortly after, a third incident involving the loss of 2,500 users' names and addresses took place, with the source of the leakage coming from the electronics arm of SONY.
Three security breaches in three weeks, all of which amounted to an unprecedented figure of more than 100 million users having had their personal information stolen. This was undoubtedly a word record of sorts in the history of data loss incidents. More importantly, the nature of the incidents, all of which involved the loss of confidential user information, showed that the stakes associated with security breaches had become ever higher.
Why Did It Happen?
Being one of the largest electronic appliance company, as well as most popular online gaming provider in the world, many believed that SONY would have implemented the highest levels of security policy and compliance in order to secure the massive database of sensitive data under their case.
However, the latest slew of security incidents had led to people beginning to have doubt in the information management systems deployed by SONY and resulted in criticism coming from both detractors and supporters alike. In particular, the acknowledgment by the company that the third security breach was due to human error on the part of SONY's system management team cast even greater doubt on the efficacy of SONY's existing processes and procedures in dealing with issues on the IT security front.
Key Issues
Coping with Business Growth and Expansion In the capitalistic global society of today, global enterprises are increasingly turning to M&A (mergers and acquisitions) to deliver rapid growth for their businesses. Likewise, the globalization era has also seen enterprises looking to establish subsidiary companies in as many locations as possible. With businesses expanding at a breakneck speed, many enterprises are often guilty of allowing IT security compliance and information management to lag behind, thus leading to inconsistent standards of security policy being implemented across various offices.
Implementing the Appropriate Security Measures With multiple security breaches having taken place over the relatively short timeline of three weeks, SONY will have to ask some hard questions pertaining to their IT security setup. The need to do so has become even more pronounced in light of the reputational and confidence losses suffered by SONY in the aftermath of the incidents. There is a growing belief that SONY has to implement a more stringent review of their security posture, be it assessing vulnerabilities, conducting trials involving penetration testing or reviewing its overall security architecture. In a way, SONY has to be more proactive and start treating IT security as an 'ongoing process', rather than adopt a reactive stance and simply conduct periodic and routine checks on their systems.
Deploying the Right Security Products
The IT security arena of today has thrown up a wide and diverse array of security technologies aimed at mitigating the risks and threats arising from an increasing reliance on IT in the business world. Whilst security technologies are evolving rapidly to cope with the growing sophistication of internal and external threats, much more needs to be done to ensure these technologies are being utilized and implemented properly.
In particular, SONY will do well to look at harnessing and synergizing the potential offered by current and future security technologies, so as to ensure their security posture is constantly ahead of the threat landscape. Likewise, the SONY episode also showed that the human factor remained a potential security loophole, thus reiterating the need for internal processes to be further improved and refined.
The Impact of Security Cutbacks
The current economic situation in Japan had caused many enterprises in the country to look at ways to reduce CAPEX and OPEX costs. With cost considerations emerging as top-of-mind among executive when it comes to driving their business operations forward, there is a growing trend for enterprises to cut back on their IT security spending. This is particularly so due to the perceived belief that security investments do not provide tangible ROI (Return of Investment) for the enterprise.
The past year saw Japanese enterprises scaling back on their security purchases, with many of them opting for more cost effective solutions offering lower performance levels and lesser capabilities. Similarly, technology replacement projects also witnessed more enterprises downgrading on their existing platforms. As such, the question of whether SONY is facing the consequences of a security spending cutback is a valid one, and one which SONY itself will do well to ponder about.
The Nature of the Breaches
Even though investigations are still ongoing, early signs point to application-layer attacks being the primary source of attacks which resulted in the first two incidents. The fact that these attacks originated through SONY's gaming networks probably threw the vendor off guard, since they might have perceived their corporate network as being a more logical target. Nonetheless, the ability of the security breaches to gather such a massive amount of data does throw into question the approach that SONY had undertaken in structuring their security defenses, and the way in which they had organized and managed their data.
Conclusion
With investigations still ongoing, it is fair to say that the lack of clarifications pertaining to details surrounding the security breaches has made it virtually impossible to pinpoint the exact failure points which led to the episodes. However, what has happened, and the entire debacle has undoubtedly led to an erosion of public reputation and customer confidence for the embattled company, SONY. More importantly perhaps, it has once again cast the spotlight on the importance of enterprises to continue protecting the integrity of their IT systems, particularly as cyber attacks take on an increasingly sinister and information-centric nature. In many ways, the onus has fallen back on SONY and all other enterprises to ensure that they are constantly ahead of game, as the threat environment shows no signs of letting up in its attempt to compromise security installments.