In roulette, odds are talked about in terms of the house edge, or the advantage the casino holds over the player. The house edge is always in the casino’s favor, so while a player may have a stroke of luck here or there, the odds are they’ll leave the table empty handed.
Corporate security isn’t too far off from roulette – the stakes are high and, in 2015, the odds are no longer in your favor.
Sony is the latest poster child for a company that took a gamble on security—and lost.
In 2005, the executive director of information security at Sony, Jason Spaltro, sat across the table from an auditor who completed a review of Sony’s security practices. The auditor told Spaltro that the odds of a security breach were high, citing insufficient access controls and weak passwords.
Spaltro had a decision to make – invest or take a gamble. Spaltro decided to take a risk and stated:
“It’s a valid business decision to accept the risk” of a security breach. “I will not invest $10 million to avoid a possible $1 million loss.”
This thinking was shortsighted and, by taking a gamble, sealed Sony’s fate as having one of the most high-profile security breaches in history.
Even months before the cyber-attack, an audit performed by PricewaterhouseCoopers raised several red flags, showing that there were significant network vulnerabilities at Sony that still needed to be addressed. Sony knew there were vulnerabilities but didn’t take the appropriate steps to fix them, thus exposing social security numbers, employment files including salaries, medical information, passports and visas, home addresses, and a wealth of other sensitive employment and personal information. Not surprisingly, Sony has been handed two class action lawsuits by employees on the foundation of negligence. One lawsuit cites the attack as an “epic nightmare…unfolding in slow motion for Sony’s current and former employees.” It goes on to read:
“At its core, the story of ‘what went wrong’ at Sony boils down to two inexcusable problems: (1) Sony failed to secure its computer systems, servers, and databases (“Network”), despite weaknesses that it has known about for years, because Sony made a ‘business decision to accept the risk’ of losses associated with being hacked.”
Negligence is inexcusable in 2015, and companies need to stop gambling and start investing in the appropriate security solutions. It’s no longer a matter of if a breach will happen, but when.
It is important to realize that the Sony incident sets a precedent for liability that should serve as a wakeup call for all companies. Even if your company doesn’t fall under regulatory buckets like HIPAA which require the protection of personal information, it doesn’t mean your company won’t be held liable if employee or customer/client information is exposed and the organization is found to have been negligent.
Be smart this year, and don’t let a gamble turn into an epic nightmare.