Posted by: David Scott
content management, data breach, data risk, data security, internet risk, organizational security, services management, Sony, sony data breach
Did you ever notice the similarity between the words “Sony” and “Sorry”? I’m just sayin’ – it’s uncanny.
“Sorry” – so says Sony’s Chief Executive Officer Howard Stringer. Sony’s recent breach, which I talked a bit about here, and here, is thought to be the biggest ever. Data from more than 100 million accounts has been compromised. One. Hundred. Million.
Sony’s PlayStation blog carried the CEO’s apology: “As a company we – and I – apologize for the inconvenience and concern caused by this attack.”
Something for companies to keep in mind in the overall swim of risk we’re in: Sales, revenue, and reputation, are heavily weighted within bad outcomes such as security breaches. A big one like this makes a consumer think twice before buying something, before subscribing to a service, before entering crucial personal information online – things like credit card numbers in the service of a purchase, and all manner of other central personal data.
The Zone: The really, really, really bad thing about any data breach is that… even if it’s the first and (thus far) only one, a company is now in a particular zone. That zone is a sort of permanent breath-holding posture: Will there be a second breach, whether soon or down the road?
A second breach could well sink a company’s reputation permanently. Ensuing that there’s never a first breach is paramount. Companies must actively survey for risk, must continually make present circumstances better, and must evaluate new products, services and implementations against new avenues of risk. All of this must be done with prudent concurrent survey for what’s going on, on the outside – breaching entities are ever-more sophisticated and powerful.
Employees must be oriented upon hire according to best security practices generally, and to practices specific to the company’s position, products, and potential vulnerabilities (absent strong controls) that are unique to its market and presence in it, etc. Going forward, all employees must then undergo regularized security training. That schedule is up to each individual company, within its own assessment of risk, vis-a-vis budget, time, and potentials.
As we’ve noted before: All activity must be viewed through a security prism. For anything you do: What effect does this action have on “the other end”? Does this process/transmission/implementation put data at risk of exposure? Does what we’re doing open a hole into our environment, or weaken a defense posture, for creating potential breaching conditions?
Stay safe out there.
On this day: In 1906, a “temporary” permit was issued in San Francisco to erect overhead wires on Market Street.