Sony to blame for cyber security failures

By Charles Gray Source:Global Times Published: 2014-12-28 23:28:02

While the hacking of Sony has become front-page news across the world, its true import may be in demonstrating the need for effective cyber security regulations to force businesses to treat their online security needs seriously. The success of this hack was as much due to Sony's lack of effective Internet security as it was due to any skill on the part of its attackers. It is becoming increasingly plain that Sony knew of the flaws in its online security for some time before the latest attack and yet failed to rectify them in order to protect both the business and its employees from the attack.

That failure is likely to lead to Sony facing multiple lawsuits from individuals and organizations that were harmed by this attack. Sony's claims that the attack was unprecedented in scale and type are clearly designed to minimize the company's liability and have received little support from cyber security experts. It is likely that Sony will ultimately be forced to compensate those individuals and groups harmed by this attack.

However, Sony is not alone in having poor cyber security practices. In fact, if the Sony hack attack has any benefit, it should be in finally demonstrating just how important effective cyber security practices are. In some respects, securing an organization's data can be more important than securing its buildings and physical records.

This is especially true when one considers how widespread the damage from a successful data breach can be. It is not just Sony that has been harmed; individuals who have had their information stolen now face years of work to protect themselves. In some cases, it may be impossible to ever recover fully, as this data will make identity theft far harder for the victim to defend against. Unlike a physical theft, the consequences of the Sony hack attack will continue to reverberate across the Internet for years.

In this case, the primary issue is the lack of any effective national regulatory framework mandating a certain level of corporate computer security. Although a business can be sued by injured parties in the aftermath of a data breach, such actions do nothing to prevent the vast damage such data breaches can inflict.

While regulating everything from the placement of emergency doors to a company's treatment of handicapped workers, the US has only very limited and vague standards for computer security, none of which would have applied to Sony. Attempts to pass further legislation have run aground against business opposition as well as fears in Congress that such regulation may prove burdensome.

The folly of such claims can be easily seen in the tremendous costs of the Sony attack. In fact, many businesses fail to address known computer security issues and like Sony, simply hope that they will never suffer an attack. In today's world, such beliefs are unacceptable for businesses that hold detailed confidential personal and financial information about millions of individuals or that have access to vital parts of the nation's physical infrastructure.

For this reason, the government must take immediate steps to create a set of acceptable security practices and make them mandatory for businesses operating in the US.

Businesses failing to implement these standards should be sanctioned in the same way a business that fails to maintain its fire suppression system would be. In both cases, the company would be guilty of failing to maintain a minimal level of safety for its employees and patrons.

This is both a matter of securing a company against criminal actions and to protect it from foreign state and non-state actors. Every nation must now face the fact that the Internet is no respecter of borders. Poor security practices will not only result in potential damage to the company, but can also provide a clear avenue of attack against the nation. Finally, given the inexpensive nature of most cyber attacks, future assaults are certain to become more common.

In 1911, the Triangle Shirtwaist fire in New York claimed the lives of over 100 workers due to poor safety practices and non-existent regulations. In the aftermath of that tragedy, better regulations were put into place in order to promote employees' safety.

While no physical harm has been done as a result of the Sony cyber attack, this event should be seen as a similar call for the development and enforcement of an effective cyber security regulatory framework by the federal government.

The author is a freelance writer based in Corona, California.

Posted in: Viewpoint

blog comments powered by Disqus