I’m of the opinion that managed service providers (and their customers) can learn a lot from current events, particularly when those events so directly impact IT security and data privacy. Last week’s Sony hack has brought a lot of media attention. Whenever entire films and lists of actors’ social security numbers are exposed even the non technical media tend to become interested.
The Sony data breach, however, is illustrative for a number of reasons. MSPs can use the Sony hack to teach their customers the numerous benefits of effective managed services and cloud computing. Here are a few of the lessons we can learn from Sony.
Everyone is a target
Like the celebrity photo hacking incident earlier this year, the Sony hack shows us that even “non-financial” entities represent viable targets for hackers. While hacker’s motives are still unclear (it looks like they were attempting to blackmail Sony into not release a film), the resulting humiliation and bad press for Sony is unmistakable. The negative attention for Sony is bad for business and would be bad for any business if the same thing happened to them.
The point is that everyone is a target, no matter how unimportant you think you are. Hackers aren’t just interested in banks and health care records.
Passwords Matter
It has been revealed that Sony’s passwords, along with other sensitive data, were unencrypted. This meant that once the hackers successfully penetrated Sony’s network, they were able to grab raw passwords, leading the hackers further into the network and to more valuable treasure. MSPs should be at least advocating some form of password management for their customers, including the practice of encrypting passwords.
Encrypting Data Is The New Normal
In addition to passwords, Sony kept much of the really sensitive data in an unencrypted state. Had this data been encrypted, the hack, while still bad, would not have been as damaging to Sony as it has been. Data breach notification laws generally state that hacked encrypted data does not have to be disclosed as part of customer notifications. MSPs should be advising their customers to encrypt and protect (via other mechanisms) their sensitive data, both to hide it from hackers as well as to render it useless in the event a hacker does penetrate a network and gain access.
All Your Eggs In The Same Basket
Whatever the hackers were after they apparently made off with several valuable assets. The films stolen can now be copied and sold on the black market. The same is true for all the social security and other personally identifiable data breached. The potential for blackmail against Sony and its celebrity partners is considerable.
As we have previously written on this site, MSPs need to advise their customers on protecting different types of data differently. Because not all data is the same, some data needs more aggressive privacy and security protections.
Anytime these noteworthy hacks occur MSPs should take the time to educate their customers. Any chance to speak with your customers is a good opportunity and should not be wasted. Whether it is a discussion about making changes to the network or just advising them on the new threats, public hacks are very useful opportunities and must be used.