Why North Korea’s attack should leave every company scared stiff

Watch your back, Corporate America, or you could become the next Sony.

The attack on Sony PIctures inflicted crippling damage in a way that past hacks have not. Stolen corporate secrets, customer passwords and credit card numbers from previous cyberattacks haven’t left a lasting impact on companies, and they haven’t kept their customers away.

By succeeding in its mission to get Sony to pull “The Interview,” hackers have provided a blueprint for really hurting American companies: Break into their computers, steal data, erase files, expose private documents, then make a physical threat.

“The problem now is not the hack. It’s how Sony responded to it. It’s the cave-in,” said Peter W. Singer, a renowned author of several books on cyberwar. “They rewarded and incentivized attacks on the rest of us.”

Sony’s attack was sponsored by North Korea, U.S. government officials are preparing to announce. Unlike most attacks conducted by Russian and Chinese hackers, North Korea’s hackers were relentless. They completely embarrassed Sony and made movie theaters afraid to carry its film.

In the past, most U.S. corporations have brushed off cyberattacks levied against themselves or their peers. That means most are just as unprepared for hackers as Sony was.

After seeing what happened to Sony, companies should be shaking in their boots.

“This sort of attack could be reproduced using the same techniques,” said Orla Cox, director of security response at Symantec. “This should be a wake up call for organizations,”

Sony’s attack was frightfully easy to pull off. This could have been the work of a tiny team of bright computer programmers — maybe as small as three people, said Kaspersky Lab security researcher Roel Schouwenberg. In fact, the whole operation could have been outsourced to hackers-for-hire, noted Art Gilliland, general manager of security for HP.

Now, companies must make a calculated decision every time it gets aggressive with a competitor or makes a controversial move. Hackers could be lurking to take them down.

“Media, pharmaceutical, energy companies. Everybody’s got enemies,” said Craig Carpenter, president of Resolution1 Security. “This Sony hack shows you can be brought to your knees if you’re not capable of shutting something like this down before it gets out of hand.”

But stopping cyberattacks takes a big investment — one that companies so far have been unwilling to make.

The barrage of cyberattacks is nonstop. Computer alarms go off maybe 5,000 times a day at a large company like Sony, Carpenter said. Every time an employee visits a sketchy website or a new app enters the network, an alarm goes off. In many cases, those must be manually checked by a member of the company’s security team.

The workload outpaces the number of workers assigned to keep companies safe. That’s how hackers slip in unnoticed and start their work. On average, it takes a company 243 days to discover a breach, according to the M-Trends 2013 report by Mandiant, a computer security consultant.

Once upon a time, companies only had to worry about cybercriminals trying to steal credit cards or foreign government spies seeking company secrets to assist competitors.

Now, the list of worries could include the Islamic State — or any other small, determined group who thinks they’ve been offended.

“Who should companies fear? Anyone that wants to do harm to a corporation,” said Lee Weiner, an executive at Rapid7. “It’s very hard to define who that could be. Are they hacktivists? Cybercriminals? Chaotic actors? It’s hard to quantify that today.”

Exit mobile version