Lessons from Sony's security mistakes

You might have thought that a large enterprise such as Sony, having suffered a very high profile and therefore highly embarrassing (not to mention brand damaging) security breach earlier this year, would have done everything it could to ensure there could be no further shocks for its customers.

You would have been wrong though, if this month's news that Sony has locked down 93,000 online accounts is anything to go by.

It would appear that a number of unauthorised access attempts had been registered in the three days beginning on 7 October, which succeeded as far as verifying the valid sign-in information for more than 90,000 accounts concerning Sony Entertainment Network, Sony Online Entertainment and PlayStation Network users.

Although the fact that Sony reacted reasonably quickly to the hack attempt might sound like good news for the entertainment giants, coupled with no credit card information being put at risk this time around, I'm not convinced that's the case.

Sony is being pretty quick to assure anyone who will listen that the breach came about from using data lists obtained from compromised external sources, as in other companies and not Sony itself. It is being equally timely in stating that all the accounts concerned have been locked until a full investigation into the actual extent of the unauthorised access attempts has been completed.

Users will be asked to change passwords, although once again Sony is taking the opportunity to try and mitigate brand damage by pointing out that it was but a "small fraction" of the 93,000 accounts which had logged any kind of activity before being locked down.

What a shame that Sony hadn't taken the time during the five or six months that have elapsed since the original data breach and the secondary one that followed soon after to re-evaluate security holistically.

If it had done that then perhaps it would have understood that the old enterprise security paradigm of 'encrypting critical business data balances the risk equation' is no longer enough.

Hackers are no longer just interested in your financial information, credit card data and the like, they are interested in everything because everything has a value. Increasingly this means an interest in what you might call 'social data' that you hold about your customers.

"To ensure maximum security, organisations need to encrypt all data, including the information they exchange and store with external IT infrastructures, such as business partners, cloud providers and other third party organisations," says Mike Smart from SafeNet.

"This will significantly reduce the potential damage to the business and the customers in case of a security breach and will restore trust in consumer privacy."

Unless Sony, and indeed you for that matter, adopt a more holistic approach whereby data is encrypted at every stage of the lifecycle then this is not going to be the last time I write about trust-tarnishing, brand-damaging breaches such as this.