Thursday, December 18, 2014

Vae Victis

Vae victis. Woe to the vanquished. 


It was reminiscent of the Gauls sacking Rome. Sony Picture's capitulation to the demands of state sponsored hackers this week marks a significant battle lost on the cyberbattlefield. Hackers widely attributed to North Korea forced Sony Pictures to withdraw the release of the film The Interview in exchange for withholding a damaging trove of data already extracted from the studio's servers. Data previously released by the hackers includes employee banking information, controversial email exchanges between executives, and studio salary information - the proverbial severed finger in the box sent to the distraught family. One can only imagine what more the hackers' threatened "Christmas Present" could possibly contain. The fallout from the Sony Pictures hack has not only created severe reverberations within the company, but globally across C-Level suites. Organizational leaders are turning to their CIOs and asking what damaging information resides on their servers and is it ever possible to secure them.

The aftermath at Sony Pictures is a trip back in time. Sony Pictures has resorted to removing physical machines, temporarily forcing employees to share one or two computers and printers for an entire office. Now employees are embracing face-to-face meetings to get work done as many corporate devices are simply unavailable. While the subsequent increase in direct human interaction is welcome (as it would be in most large organizations), there remains a challenge in capturing the new learning that is critical to the evolving corporate memory. This is the price to be paid for less-secure legacy enterprise systems such as email. The new call to action will be to move to highly secure, dedicated internal communication platforms with in-transit and at-rest encryption.

Those who fail to learn the lessons of history are doomed to repeat it. 
Over 2300 years ago, the Gauls sacked Rome in the Battle of Allia. The Gallic general Brennus admonished the Romans that one should not complain about the price exacted under the terms of their surrender. The Gauls extorted the Romans in exchange for leaving the city and literally tipped the scales used to weigh the gold in their favor. The Roman leader Camillus quickly arrived with the Roman army and threw his sword on the scale saying, "Not gold, but steel redeems the native land." A fight ensued and the Romans regained control of their city and eventually vanquished the Gallic forces. Camillus was later considered a second Romulus, or second founder of Rome, and there are more than a few organizations reeling from data breaches right now trying to identify their own Camillus.

One of the lessons learned from the Gauls sacking Rome was that the ancient city defenses were woefully inadequate or non-existent, so they built the Servian Wall, a defense so strong it repelled Hannibal during the Second Punic War. This is certainly Sony Pictures' call to action, and that of many global enterprises. It is time to move off of email to highly secure enterprise platforms in order to repel the next attack. Combined with best practices around password and data security, these new Servian Walls should help stem the tide of attacking hordes. 

While Sony Pictures and others have no guarantee that the highly sensitive data already extracted from their servers will not be used against them in the future, they can certainly prevent it from ever happening again and hand defeat back to their attackers. Then they can say to them, woe to the vanquished.