Close panel

Close panel

Close panel

Close panel

Technology 13 Mar 2015

Cybersecurity in businesses after the Sony case

There was a before and after in the fight against AIDS since the Magic Johnson case. Aviation safety changed following the 9/11 attacks. So the question is whether something similar will happen with cybersecurity in businesses after the attack on Sony, and the answer is that this will probably be the case.

Cybersecurity takes center stage, although not as some would have liked

Until now some might have thought that such threats were either low-level, focusing on individuals and small businesses that do not observe elementary security measures, or are akin to skirmishes between States that do not manage to go beyond the frontiers, almost belonging to the stuff of legend. However, the Sony case will radically change the social perception of this concept for many reasons.

Sony is not exactly a small or technically-obsolete business. We're talking about a true giant that has been attacked despite having the necessary budgets to theoretically safeguard its security beyond reasonable doubt. In other words, if they are able to attack Sony, it must be asked: What will they do with a medium-sized company? How is it possible that they managed to do it?

As the matter still remains unsolved, we have to point to the weakest link theory, which so often in these case are humans. The most extreme security measures are of little use if people in the organization are negligent or collaborate.

Establishing and monitoring security protocols among all staff, but especially in something that is rarely done in practice, proper segmentation of the information everyone accesses, so it is confined exclusively to that which is necessary to carry out their work, as well managing possible BYOD practices in companies, i.e. employees bring their own mobile devices to access corporate systems. It seems easy to say, but in practice it should be perfectly measured in such a way that does not limit the operability of these employees, which is not so simple.

Another challenge for companies in the battle against hacking is everything related to cloud migration, which is increasingly intense, with providers of hosting, web services, apps, etc. To what extent is it controlled that this aspect is adequately covered?

The Sony case helps to reflect on the importance of security

Now the Sony case, beyond how new fields of play were considered, such as converting the attack on a company into a State matter, which is a big deal. Up until now, for image and security reasons, they attempted to keep a low or zero profile in these cases, trying to ensure they did not cross them. The fact that it is suspected that behind the attack this other State has allowed it to occur, this is a matter of national security for the world's largest power and, therefore, the companies are obliged to communicate and cooperate with the authorities in prosecuting these crimes.

Beyond correctly criminalizing cybercrime, establishing those lines of communication with the police, and providing them with human and technical resources, this assumption by public authorities in prosecuting crimes regardless of whether those affected want to do so, sometimes collides with other legally-protected interests, such as the right to privacy and confidentiality of the communications of those in contact with the companies. In fact, events such as those that occurred recently in Paris have resulted in the likes of Cameron speaking outagainst the right of individuals to encrypt their communications, i.e. to apply cryptography.