Watch the interesting and tense first official trailer for the drama "Kumiko, The Treasure Hunter" set to be released next year.
Saturday, December 20, 2014
The ongoing Sony hack controversy shined a light on many things including Sony executives on Hollywood stars, their movie schedule and, to a certain extent, how the movie industry works but what stuck out like a sore thumb is just how bad Sony Pictures sucked at securing their own data.
Bereft of solid access controls or any classification of the data they had, Sony was hit hard by the hack but if even the most minor and common sense data security measures were implemented, the company wouldn't still be reeling from the email leaks that have been producing headlines for the last two weeks.
However, what’s interesting and terrifying is that Sony’s lax security practices are widespread. Sony suffered because sensitive data such as social security numbers could be found in a number of files that were available to too many employees but other companies are just as susceptible to similar breaches as according to a survey carried out by the Ponemon Institute revealed that an incredible 71% of employees felt by that had access “to data they should not see” and 54% said that “this access is frequent or very frequent”.
Why Sony like breaches haven’t more is sheer luck however as companies continually drop the ball when it comes to data security as hackers have had a good 2014 targeting breaching companies data security according to the Identity theft Resource Center “with more than 81 million records compromised”. Companies love giving the hackers the credit for becoming smarter and better but the truth is that companies, especially the larger ones, suck so bad at data security it’s justified to query whether they’re being this negligible of their security on purpose.
In Sony pictures case, the answer is resounding yes. Sony’s ridiculous poor data access controls go back as far as 2005 when an auditor told Jason Spaltro, Sony Pictures then executive director of information (now currently serving as the company’s senior vice president of information security), that “Sony had several security weaknesses, including insufficiently strong access controls, which is a key Sarbanes-Oxley requirement”.The auditor also revealed to Splatro that “the passwords Sony employees were using did not meet best practice standards that called for combinations of random letters, numbers and symbols”.
Upon listening to the audtior’s recommendation in making the passwords stronger at the company, Splatro pointed out that complicated passwords that are hard to remember will lead to employees “writing them down on sticky notes and post them on the monitors. And how secure would that be?”.
While you may think that Splatro had a point that people would write down and put them in a place they’ll remember it, keep in mind that Spaltro at the time was the executive director of information security and it’s his job to take all steps to make sure breaches don’t happen. Also keep in mind that as an IT executive at the company he also has to make sure that every dollar spent is cost effective which, in most cases, means a lot of companies will nickel and dime when it comes to data security despite the risks.
IT executives also have to comply with a bevy of domestic and international laws and regulations and complying to all of them is very expensive and time consuming. Because of this, IT executives like Spaltro have to keep conscious of the bottom line and even decide if some laws or regulations are worth following as CIO’s Alan Holmes explains:
“How to (or, for some CIOs, even whether to) follow regulations is neither a simple question with a simple answer nor a straightforward issue of following instructions. This makes it more an exercise in risk management than governance. Often, doing the right thing means doing what’s right for the bottom line, not necessarily what’s right in terms of the regulation or even what’s right for the customer”
Now taking all this into consideration, look back at Spaltro’s discussion with the auditor and you’ll see that he’s trying to avoid the arduous task of keeping in lock step of Sarbanes Oxley in the noble pursuit of minimizing the hit to the company’s bottom line. In short, what happens is that IT executives, charged with keeping data secure, have to fudge on data security as “when business metrics are applied to compliance, many companies decide to deploy as little technology or process as possible—or to ignore the governing laws and regulations completely”.
What this means in practice is that companies look for cheapest or less strenuous security practices and measure the risk against being caught out. This dangerous game being played by companies with their own data security is reprehensible but to a certain degree inevitable.
The job of the IT executive has always been difficult but in the last few years, the job of the modern IT executive has become spectacularly more complicated with advent of the cloud, big data, and the internet of things and the myriad of security issues that surround all three has made the CIO’s jobs so demanding that new roles such as the chief security officer have been created to chip in to deal with the nightmare that has become modern data security.
Even back in 2006 the demands put on IT executives were excessive as they were tasked with “running projects, innovating, keeping the lights on and putting out those ever-smoldering IT fires—that they simply don’t have the time to decipher the laws that affect them, much less the time to invest in reconfiguring systems and processes to meet regulatory requirements”.
To give a flavor of how difficult it is to keep up with all the laws and regulations related to data security, consider how difficult it was for IT departments to keep up with one as back in 2006 “IT organizations…(spent) between 5,000 and 20,000 man hours a year trying to stay compliant with Sarbanes-Oxley’s requirements”.
Consider that Splatro had to meet with people from Sony’s legal and human resources departments as well as outside security auditors just to find out “what Sox compliance means”. Considering that Sony Pictures is an entertainment company and not a bank, it makes sense that they would have come to the conclusion that Sarbanes-Oxley meant and awful lot less to them than it would to a bank but, as the last few weeks have proved, as hackers could care less about what data security laws and regulations means to either.
So far, we’ve focused on what Sony’s poor data security practices but if only they were the only company risking data breaches. This is indeed a worldwide problem as it seems no matter what the field, all companies converge in poor data security as 665 million customers (that means you and me) were affected by data breaches in 2013.
With numbers like these, Prakash Panjwani, president and CEO of SafeNet, may cite a survey that says that 65% of adults in the US, UK, Germany, Japan and Austrailia “would never, or were very unlikely to, shop or do business again with a company that had experienced a data breach” but Panjwani knows full well that if this was true these people would have make an extraordinary commitment to living off the lay of the land (which is not as idyllic as it sounds) and making an awful lot of in person cash transactions (which in this “cashless society” we’re being frogmarched into, is nearly impossible) as data breaches, or data breach attempts, are a daily occurrence for way too many companies.
If the incompetence of companies in dealing with data security are bad, their solutions, especially in reaction to data breaches, aren’t much better. Target, in reaction to a large data breach that included the loss of 4o million credit card details and 7o million of the personal information of their customers, hired their first CISO (Chief information Security Officer) which was seen by experts as a forward but concerns quickly propped up when Target made CISO position subordinate to the CIO. What this means is that the CISO won’t be an equal to the CIO and be able to report to the CEO directly. The CISO would have to make his arguments for expenditures on security through the CIO, who has his own agenda and is often under pressure to produce on IT projects, which could make the CISO’s security recommendations an afterthought.
This scenario could easily lead to conflict within the organization as the CISO can find his interests, at Target at least, marginalized by his boss, the CIO. Appointments to deal with security issues in the company may seem like a good idea but it’s clearly going to take more than that. Target just suffered a major data breach that is still facing backlash from and it will take a serious reappraisal of its data security practices and this can’t be done when the chief security executive at the company is subordinate to the CIO who may see security as key interest but, as examples above have shown, isn’t their only concern.
However ill-advised it is to have the CISO subordinate to the CIO, at least the appointment an CISO is better than what they had before when the responsibility for security was spread across the organization rather than under one roof. This is why when the company’s point of sale system were compromised causing the breach, Beth Jacobs, Target’s former CIO, it’s highly likely that she didn’t know about it until it was too late and paid the price with her job.
This incompetence companies have securing their data, never mind ours, will only get worse as increasingly things are run on networked systems, systems that hacked and made vulnerable. As explored earlier, An obscene amount of pressure is placed on CIO’s and CISO’s in not only securing these systems, but ensuring they meet business needs and are cost effective which is no mean feat.
In sum, the answer as to why so many companies suck at data security is not as simple as it sounds in one sense but in another it quite elementary. Due to most modern companies becoming data driven organizations and many processes outsourced to networked systems, this put a lot of pressure on IT executives who have so far shown it’s proving too much. Added to that they have negotiate a myriad of data protection laws and regulations across a number of states, IT departments have had to play fast and loose with data security and have paid the price in treasure and much more and if past behavior is any reliable indicator for future behavior, expect more stories like Sony’s and Targets to become the norm.
 G. Press, 2014, Sony Is Not The Only Company With Subpar Data Security, New Survey Finds, http://www.forbes.com/sites/gilpress/2014/12/09/sony-is-not-the-only-company-with-subpar-data-security-new-survey-finds/
 A. Holmes, 2007, Your Guide to Good Enough Compliance, http://www.cio.com/article/2439324/risk-management/your-guide-to-good-enough-compliance.html
 P. Panjwani, 2014, In Data Security We (Lost) Trust, http://thehill.com/blogs/congress-blog/technology/226981-in-data-eecurity-we-lost-trust
 M. Shacklett, 2014, A former CIO’s take on Target CIO resigning after massive data breach, http://www.techrepublic.com/article/a-former-cios-take-on-target-cio-resigning-after-massive-data-breach/
Friday, December 19, 2014
For a corporation involved in art of visual storytelling, I’m pretty sure nobody in at Sony Pictures entertainment would have dreamed up the nightmare last couple weeks the company has been having that somehow continues to get worse with every leak. Sony isn’t the only company that’s been hacked like this but there hasn’t been so many revelations to the point that it says something not only about the company and the individuals involved but an whole industry.
The nightmare began on the 24th of November after the company’s computer networks was hacked by a group that call itself “Guardians of Peace” that subsequently threatened to expose the company with the data they took claiming “We have obtained all your internal data including secrets and top secrets".
And since then the company has been reeling from one embarrassing email leak to another as Sony Pictures executives got caught talking smack about movie stars and making racially loaded jokes about the president’s taste in films. The person at the center of the leaks was Sony Pictures co-chair Amy Pascal whose communications with stars and conversations with fellow movie executives have generated headlines since the hack last month.
The hacked emails have given us an unwarranted insight on the industry and some extent how it works but they also have given us and insight into some A-listers and how they much they differ to their public persona. On the 14th, the Independent reported that the hacked email revealed that George Clooney, a man who is the picture of male self-assurance, lost sleep over less than complimentary reviews “Monuments Men”. Clooney, in an private email back in January under Sony Pictures co-chair Amy Pascal, revealed his need for “protection from all reviews”
Some of the leaks have been relatively benign as some have revealed the studios’ movie making plans such as its intention to resurrect the successful Ghostbusters franchise with actor Channing Tatum and Chris Pratt. The emails revealed Tatum’s keenness for the project as he saw that the once successful franchise could be as big as the Christopher Nolan directed “Dark Knight Trilogy” was for Batman.
However, while the hacks have been an embarrassing episode for the company as a whole, it seems the crisis is only getting worse as Sony made the decision to cancel the release of “The Interview” starring Seth Rogen and James Franco which includes a plot to assassinate North Korean leader Kim Jong un after a threat was issued against the release of the film by the hackers. Their decision to cancel the films’ Christmas release was met with widespread disproval among the public, media and Hollywood to the point that even the president stepped into the debate to register his disagreement with their decision.
Almost everybody saw their decision as a cowardly move in lieu of a threat many think can’t or won’t be carried out even if they did release the film due to the suspicion that the hacks were carried out by North Korea. Many stars, George Clooney, Judd Apatow, Rob Lowe and Mia Farrow among them, publicly registered their distaste for Sony’s position. Sony Pictures was clearly trying to avoid the situation worse but with the embarrassing emails and the widespread vocal disagreement with their decision, It’s hard to see how they going to get any business done anytime soon as both controversies have alienated a number of Hollywood stars they work with.
However, what’s galling about the whole debacle is not what it revealed about Hollywood or even the company’s strategy or dealings, which is bad enough, but that the hack and the subsequent leaks could have been prevented with better security practices.
This is why the company is facing even more backlash in the form of former employees who plan to sue Sony for failing to safeguard their personal data. Among the embarrassing email exchanges, salary details, and planned movie releases was the release of the personal information of the companies employees including their “Social Security numbers and birth dates of employees as well as information about medical conditions”.
All companies are different but where they all converge is how bad they are securing their own data and Sony was especially bad given that the social security numbers of Sony Pictures Entertainment co-chair and CEO were found in 104 and 93 files respectively. This is why while 47,000 social security numbers were leaked, more than a million copies were available in the files hacked by the Guardians of peace. The company was especially careless with its access controls to such sensitive data as the “multiple copies of data this sensitive on multiple employees' computers or multiple times on a single employee's computer is unusual and dramatically raises a company's security risk”.
In sum, the last few weeks have been a complete nightmare but most terrifying thing for the not so good people at Sony is that the leaks keep coming and with the company’s abysmal handling of the crisis so far, things will almost surely get worse.
 BBC News, 2014, Sony Pictures Computer systems Hacked in online attack, http://www.bbc.co.uk/news/technology-30189029
 K. Dutta, 2014, George Clooney ‘loses sleep’ over bad reviews, hacked Sony emails reveal, http://www.independent.co.uk/news/people/news/george-clooney-loses-sleep-over-negative-reviews-hacked-sony-emails-reveal-9924118.html
 L. Boyle, 2014, Sony Hacked Emails Reveal plans for revived Ghostbusters Franchise Starring Channing Tatum and Chris Pratt, http://www.dailymail.co.uk/news/article-2876234/Sony-hacked-emails-reveal-plans-Ghostbusters-franchise-Channing-Tatum-Chris-Pratt.html
 K. Zetter, 2014, Former Employees Sue Sony over epic hack scandal, http://www.wired.co.uk/news/archive/2014-12/17/former-employees-sue-sony
 S. Musil, 2014, Sony Hack leaked 47,000 Social Security Numbers, Celebrity data, http://www.cnet.com/uk/news/sony-hack-said-to-leak-47000-social-security-numbers-celebrity-data/