Updated:

The Sony Breach and Implemented Critical Controls Case Study

Exclusively available on Available only on IvyPanda® Made by Human No AI

Introduction

Sony Pictures Entertainment (SPE) Inc. is an entertainment organization that acquires and distributes media in the form of recorded videos, theatrical motion pictures, and television programs worldwide. In 2011, SPE suffered a breach that was considered one of the most significant data hacks in history. Sony stated that it had implemented appropriate security measures to prevent future breaches.

However, three years later, in November 2014, the company was again hacked by a group referred to as the “Guardians of Peace,” and substantial and sensitive information was stolen. The second attack was supposedly associated with terrorism. Moreover, in both attacks, approximately 100 terabytes of data were stolen, constituting confidential customer, employee, and other organizational data. Specifically, these comprised usernames, passwords, unreleased movies, sensitive information regarding Sony’s network architecture, and personal information about employees and clients. The second breach elucidated the ignorance and laxity of Sony in implementing stringent data protection measures.

Protection of Personally Identifiable Information

Personally identifiable information (PII) is described as data that can be used to trace or differentiate a person’s identity. For instance, a name, biometric records, social security number, place, and date of birth. In the event of the SPE breaches, large volumes of PII were stolen, including social security numbers, salaries, and other PII regarding both the employees and users. As a result, according to the “CIS Critical Security Controls: Guidelines,” several critical control measures can be implemented to protect PII. For instance, SPE can begin by securing the configurations for hardware and software on electronic devices and servers through the installation of antivirus software and firewalls to prevent unauthorized attackers from gaining access to the systems. Second, SPE can perform assessments on the operation of security skills and training of employees to fill in the gaps. This is because the most common and conventional methods that hackers use to gain access to systems are by phishing employees. The third is data protection through the encryption of sensitive data.

Assess the Impact of the Breach on the Company

In 2014, numerous data breaches generated significant media attention; however, none had a substantial impact as the Sony breach. These breaches have resulted in commercial fallouts, large-scale international negotiation and sanction issues, national security implications, and personal embarrassments, among others. The Sony hack specifically led to the leaking of usernames, passwords, unreleased movies, sensitive information regarding Sony’s network architecture, and personal information about employees and clients that had been stolen. Consequently, the breach had significant impacts on the company. For instance, SPE incurred substantial financial costs that were estimated to be approximately $ 15 million. This cost was used to cater for investigation and the restoration of financial and information technology systems.

Secondly, Sony lost both time and finances. The company lost $35 million for the full fiscal year, and conversely, time was lost as the network had to go offline for several weeks to allow Sony’s technicians to rebuild the network system. Third, it brought the company embarrassment. The occurrence of the two breaches within a limited timeline embarrassed Sony as it is recognized as one of the world’s renowned film studios. This is because it brought to light the ignorance and insufficiency of resources that Sony was investing in its network security system. Fourth is the loss of employees. Amy Pascal, an influential movie executive, had to step down as the head of SPE due to the breach exposing private and damaging emails. Lastly, the breach brought about the loss of trade secrets, revenue models, and other revenue-generating assets that had an adverse compounding effect on Sony’s bottom line.

Security Issues the Company Was Facing Before the Breach

  • Information was stored in an unencrypted format
  • Sony failed to install malware defenses and firewalls
  • Uncontrolled use of administrative responses
  • Poor incident response system
  • Lack of performance of audit logs
  • Monitoring data leaving the institution

Suitable Control and Proper Tools for Security Issues

  • Encryption of all sensitive information
  • Installation of malware defenses that would flag unauthorized access
  • Controlled use of administrative privileges
  • Proper incident response and management
  • Maintenance, monitoring, and analysis of audit logs
  • Monitoring and controlling of accounts

Proper Risk Decision

  • Data protection through the encryption of all sensitive information – Mitigation
  • Installation of malware defenses – Defense
  • Controlled use of administrative privileges – Mitigation
  • Proper Incident response and management – Acceptance
  • Maintenance, monitoring, and analysis of audit logs – Mitigation
  • Monitoring and controlling of accounts – Mitigation

Tools Utilized on a Low Budget Security

In the instance of low-budget security, open-source tools are a viable option. Most commercial security services and applications have an open-source alternative. Although such tools are not fully featured as compared to their commercial counterparts, they are more budget-conscious and secure as the code is accessible to the public. However, their only disadvantage is that they lack a user-friendly interface.

The second strategy is shared staff, services, and tools. Through sharing the risks and costs of specific IT services, tools, and staff positions, companies can obtain benefits that might otherwise be out of reach. Institutions that are part of a system can identify their peers or consortia and build on existing relationships. On the other hand, sharing peer risk assessments from various service providers helps in cutting costs. Lastly, by sharing security tools such as antivirus systems, vulnerability scanners, intrusion prevention and protection systems, and firewalls, similar-sized companies can minimize the costs of purchasing related tools. Combining such tools enables institutions to acquire a robust and resilient security platform which, when merged with services from IT experts, leads to the provision of a broader range of services to a more diverse population. Nevertheless, the problem with shared services and tools is that the system is susceptible to system or server crashes.

Lessons Learnt from the Sony Breach

Several conclusions can be derived from the above review of critical security controls in relation to the Sony breach. For example, all institutions have data security risks. They are mostly applicable to financial services and healthcare companies as they operate with large volumes of PII; hence, they are required to meet particular regulatory standards to protect PII. However, the level of impact of the breach on Sony suggests that it is essential for every company to consider data security. Furthermore, the efficiency of security controls in protecting organizations from breaches requires the inculcation of the appropriate security culture.

Work Cited

SANS Institute, 2015, Web.

More related papers Related Essay Examples
Cite This paper
You're welcome to use this sample in your assignment. Be sure to cite it correctly

Reference

IvyPanda. (2021, August 1). The Sony Breach and Implemented Critical Controls. https://ivypanda.com/essays/the-sony-breach-and-implemented-critical-controls/

Work Cited

"The Sony Breach and Implemented Critical Controls." IvyPanda, 1 Aug. 2021, ivypanda.com/essays/the-sony-breach-and-implemented-critical-controls/.

References

IvyPanda. (2021) 'The Sony Breach and Implemented Critical Controls'. 1 August.

References

IvyPanda. 2021. "The Sony Breach and Implemented Critical Controls." August 1, 2021. https://ivypanda.com/essays/the-sony-breach-and-implemented-critical-controls/.

1. IvyPanda. "The Sony Breach and Implemented Critical Controls." August 1, 2021. https://ivypanda.com/essays/the-sony-breach-and-implemented-critical-controls/.


Bibliography


IvyPanda. "The Sony Breach and Implemented Critical Controls." August 1, 2021. https://ivypanda.com/essays/the-sony-breach-and-implemented-critical-controls/.

If, for any reason, you believe that this content should not be published on our website, please request its removal.
Updated:
This academic paper example has been carefully picked, checked and refined by our editorial team.
No AI was involved: only quilified experts contributed.
You are free to use it for the following purposes:
  • To find inspiration for your paper and overcome writer’s block
  • As a source of information (ensure proper referencing)
  • As a template for you assignment
Privacy Settings

IvyPanda uses cookies and similar technologies to enhance your experience, enabling functionalities such as:

  • Basic site functions
  • Ensuring secure, safe transactions
  • Secure account login
  • Remembering account, browser, and regional preferences
  • Remembering privacy and security settings
  • Analyzing site traffic and usage
  • Personalized search, content, and recommendations
  • Displaying relevant, targeted ads on and off IvyPanda

Please refer to IvyPanda's Cookies Policy and Privacy Policy for detailed information.

Required Cookies & Technologies
Always active

Certain technologies we use are essential for critical functions such as security and site integrity, account authentication, security and privacy preferences, internal site usage and maintenance data, and ensuring the site operates correctly for browsing and transactions.

Site Customization

Cookies and similar technologies are used to enhance your experience by:

  • Remembering general and regional preferences
  • Personalizing content, search, recommendations, and offers

Some functions, such as personalized recommendations, account preferences, or localization, may not work correctly without these technologies. For more details, please refer to IvyPanda's Cookies Policy.

Personalized Advertising

To enable personalized advertising (such as interest-based ads), we may share your data with our marketing and advertising partners using cookies and other technologies. These partners may have their own information collected about you. Turning off the personalized advertising setting won't stop you from seeing IvyPanda ads, but it may make the ads you see less relevant or more repetitive.

Personalized advertising may be considered a "sale" or "sharing" of the information under California and other state privacy laws, and you may have the right to opt out. Turning off personalized advertising allows you to exercise your right to opt out. Learn more in IvyPanda's Cookies Policy and Privacy Policy.

1 / 1