The hacking of Sony Pictures Entertainment was undoubtedly the data security story of 2014. It eclipsed the year’s earlier breaches, which were more traditionally focused on payment card data from retailers. However, whilst the media and commentators still focus on the perpetrators, appropriate responses and implications for international diplomacy, the Sony hack must also serve as a wake-up call for database administrators and developers everywhere.
The hackers of Sony obtained a wealth of hugely sensitive company and employee data, including records of controversial email exchanges between top executives. The implications for Hollywood celebrities may be a few bruised egos and a glut of material for the gossip columns, but for Sony this could significantly harm their position in future contract negotiations and deals. The immediate costs of the breach alone are estimated to be in excess of $100 million. The lesson is that information does not have to include credit card numbers to be valuable to hackers. Databases and servers can contain huge amounts of information that may not be financially valuable in itself, but could be hugely valuable to others.
Many executives are still struggling to comprehend the massive risks associated with cyber security because they simply don’t realise what’s at stake. They consistently underestimate the value of the information stored on their databases and the consequences of a breach. Whilst payment card data is still targeted, it’s been estimated that almost 50% of data subject to attacks is now unrelated to payment cards. Instead, cyber criminals are targeting all kinds of data that could be sellable on the black market, or which could simply be used to embarrass or damage a company’s reputation.
This development, in effect, broadens the definition of sensitive, high-security data to an almost limitless degree. It also point towards a future in which information must be properly treated as an asset, alongside a company’s stock, property and finances. Leading data security experts agree that what’s needed now is a renewed focus on database and server security, and that this applies to all businesses regardless of their size or industry. This isn’t just a lesson for the IT department: executives and managers need to recognise the fundamental importance of data security to future of their businesses.