What the Sony breach means for security in 2015
As the year of information security ends in 2014, what does the Sony breach tell us about what will happen in 2015 Here are a few things I think can be said with certainty:
This was yet another wake-up call -- but many will still sleep through it. Home Depot, Target, JPMorgan Chase were but a few of the most major breaches of 2014. Many firms are simply shell-shocked and hope that nothing will happen to them. Information security has had myriad events that promise to bring sea change, quantum change and countless other transformations that many information security professionals are still waiting for. The reality is that too many firms will try to spend the least on security and hope for the best.
More breaches will occur - be it state-actors, hacktivists, disgruntled employees and the like. There's no reason to think things will get better in the short-term. The information security infrastructure is porous and decades of poor design can't be fixed by patching alone. This means more mega-breaches are an inevitability.
Fixing security and doing it right takes time, money and staff - And if there is anything management dislikes, it's putting time, money and staff into something perceived as a cash cow. Management often needs things done last quarter to make the financial analysts happy this quarter. Fixing a faulty information security program will take many quarters. Let me reiterate this, there's no overnight fix here. The only way to possibly accelerate this would be to hire external resources to apply a surge strategy. But that may be unpalatable or unsupportable to many organizations. The alternative is simply getting IT responsibilities out of house, such as to cloud providers. But that also is not a quick fix.
Buying security hardware and software ` having a secure infrastructure - Fixing security and doing it right does not equate with buying lots of hardware and software. Many security hardware and software vendors will see increased sales in 2015, some of it significant. But these may be reactionary purchases, similar to when a new Pixar movie comes out. After a few months, the Toy Story memorabilia gathered dust in dollar stores. So too many of these security purchases may end up as shelfware.
Firms don't have a handle on the amount of data they have - Steve Ragan reported that to date more than 230GB of data was leaked by the attackers. Based on that, the attackers likely have over a terabyte of data. The truth be told, it's not just the amount of data, but what kind of data has been breached. In the Sony breach, it was quantitatively and qualitatively massive -- a perfect storm. Overall, the amount of data stored and the amount of people that have access to that data in a large enterprise is simply too large a beast to effectively control.
What does this mean for 2015
If the Farmer's Almanac did data breach predictions; then it would certainly forecast 2015 as a devastating year. With that, there is a lot firms can do to weather the storm. Consider the following:
About the author: Ben Rothke CISSP (@benrothke) works in the information security field, writes the Security Reading Room blog and is the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill).