There is actually a silver lining in the brouhaha over the hacking of Sony. Forget about the right to free speech. That is only pertinent in some countries. The fact that the backlash to the intended release of The Interview was so swift should make people realize that every organization is vulnerable to having their IT security systems compromised. This hacking wasn't done by some smartass kid or by someone who is bitter about not being gainfully employed or by someone who can prove that he can get into a system. This was a foreign government that authorized the hacking and, thus, already had in place people who were trained to infiltrate systems. If Korea can hack into one company, it can get into the financial exchanges and the U.S. government websites and databases. The implications are horrendous.
Recently, Richard Beales wrote about the idea of having cyberinsurance for banks. It's an interesting idea, and there are insurance companies that offer some form of it. Right now, I would imagine that it's still hard to figure out the cost of premiums. A few years ago I reported the cost of a security breach by account at a health care organization. It was about $350 per account. Assuming that number is still accurate, what would cost in premiums to a company such as JPMorganChase, which was already hacked>What's the premium to pay some $29 billion? What would be for the defense department? For Social Security?
http://dealbook.nytimes.com/2014/12/23/the-need-for-bank-cyberinsurance/?module=BlogPost-Title&version=Blog%20Main&contentCollection=Breakingviews&action=Click&pgtype=Blogs®ion=Body
There is another aspect to hacking for a company such as Sony. In addition to the usual security measures that every company has to take in order to protect HR and bank information, there is the constant battle to prevent people from distributing its content on the Internet. You may think that just because can't copy a DVD that it's not an issue, but it is. You see, content is shared for editing and approval and everyone who plays that content is vulnerable to having his or her computer or mobile device hacked. It's a managerial problem when content is leaked before a series' ending is shown on TV, and it's an insult to the unsung heroes who construct sets and design costumes. Piracy is not a victimless crime.
But back to insurance. Everyone complains about insurance companies, but they're not made up of greedy, evil people who just want to take your money and shell out nothing if there's a claim. I'm confident that as cyberinsurance becomes standard, companies will be able to reduce their premiums with the guidance of insurers. This would include upgrading firewalls and hiring people to do daily penetration testing. As for piracy of content, that's a matter, I think, of being able to trace paths and fingerprints.
Note: This image was taken from en.wikipedia.org.
Today's edition of The New York Times featured a topic in its Room For Debate column that's near and dear to my heart: security breaches. The title was: "Keeping Credit Cards and Bank Account Data from Hackers." http://www.nytimes.com/roomfordebate/2014/10/04/keeping-credit-cards-and-bank-account-data-from-hackers?ref=opinion
While some made good points such as stressing the adoption of E.M.V. technology for credit cards, none of the four experts could even scratch the surface of how to do it. Even if you gave up your credit cards, as suggested by Jose Pagliery, and use one-time virtual numbers via smartphones, there are other areas for potential security breaches.
Take health care for example. Whether medical records are still on paper or electronic, hackers love them. They don't care if you have an infectious disease or a clean bill of health. They just want four pieces of vital information: your name, your address, your date of birth and your Social Security number. Bingo! They have what they need for identity theft (read: steal your money).
Another example is content. Piracy is a huge issue for the entertainment business. It's not just about preventing someone from posting a spoiler on Youtube. There are people who are trying to sell movies and shows overseas without paying for it. If you stole the hot dog vendor's food to sell to someone else, you've committed a crime. It's the same thing with content.
At the risk of sounding paranoid, there is always someone who wants something of yours for nothing. Who is watching out for hackers? Sadly, companies do not hire enough of people like me who are trained to detect intrusions and vulnerabilities. In the end, we are all at risk.
At this point, it almost sounds like the name of a rock band. China and The Hackers.
The news of the March hacking of the security at the Office of Personnel Management wasn't so bad because employee and contactors' personal data wasn't stolen is still disturbing. The point is that even though hackers are usually unsuccessful when trying to breach security in the public and private sectors, sometimes they are. It's irrelevant whether they are out to steal the data they need for identity theft, for blackmail or for government secrets. There should be accountability at multiple levels within an organization.
Everyone who knows me knows I am cheap. Not just frugal, but outright cheap. Just ask my wife every time I see a grocery bill. But I know we need food. And, guess what, folks? Computer systems need security. They need new firewalls. They need updated software to detect malware and to protect attacks. Above all, they need experienced, reliable people who can do penetration testing to check for vulnerabilities. The CIO needs to know not just how to hire IT security people, but how to fight for a bigger budget because, folks, the threats are nonstop. Nonstop.
About 15 years ago, my mother-in-law, now retired, used to work for a self-made multimillionaire whose son was allegedly part of a loose ring of people that was caught hacking into a large corporation. His son was a teenager who, by then, had some 10 years of computer experience. He was always bright and even early on, he would love to see what a computer could do besides load games. He knew he wanted to program his computer to turn on the lights in his room. When he was frustrated that his computer was too slow, "something happened" to it. It would fall down the stairs in school and break. One part of it would catch fire. Yeah, right, but his parents bought his lies hook, line and sinker and simply buy him a new one each time. Oh, and he had memorized his parents' credit card numbers so he would rack up unauthorized charges on their accounts. And at that time the term identity theft had not yet been in popular use.
Back to China and The Hackers. The hackers of the People's Liberation Army Unit 61398 the Shanghai-based Unit 61486 are not the only ones who are involved in cyber attacks. Hacking is not exclusive to China. Don't think for one nanosecond that there are hackers in other countries who are trying to break into U.S. government and corporate servers. They're after the military, education, banks, news, online gaming, dating, law enforcement and e-commerce. The world is crawling with hackers. Everyone needs to be concerned.
