What Sony's Latest Security Breach Tells Us

My recent articles on security here at TalkMarkets have been designed to warn investors about the growing cyber security threat. I continue to illuminate the issue because I know the potential for not doing so can lead to a lot of market pain for companies and individuals alike. So we press on with the latest high profile security breach .. 

Sony's (SNElatest security breach, which exposed over 25 Gbs of data, employee health and personal records, external vendor accounts, internal core infrastructure management login accounts, salary data, employee social security numbers, and PwC financial audit record data. In addition, the attack included malware designed to wipe system hard drives all the way down to the master boot record, prompting expensive hardware replacements and untold costs in lost data. The hackers published the private data on torrents which are publicly available, which is very damaging to Sony in their efforts to mitigate the attack with their business continuity process. 

The main elements to pay attention to here are costs. Sony will have an immediate financial impact from sales losses, such as those experienced at Target (TGT) after their point of sales (POS) systems breach. Total costs to Target are estimated on the low end at $1 billion. In addition, security breaches tend to lower stock value significantly and scare investor dollars away for a significant period of time. Target stock had fallen 46% 90 days after the breach of their POS systems. Investors in Sony should be careful on their investment targets in the next 180 days at least, with an somewhat lesser window of caution set for 365 days depending on how Sony management addresses public concerns about the company's internal security practices. This is the key to predicting future Sony break-ins. 

The reason Sony's latest hack was not surprising was because 1) they have been hacked before and 2) numerous industry studies show companies don't adequately respond until multiple attacks have taken place. In addition, most company leadership don't have a Chief Information Security Officer (CISO) that is responsible for planning and responding to security threats across the company on a daily basis.

Sony hired a CISO after their last breach. However, implementing new policies globally in a large organization takes a lot of time. Hiring a CISO is only the first in a long line of steps that need to be taken. Often the biggest obstacle is changing company culture from one of 'just get it pushed out' to 'just get it pushed out, securely'. The collective IT industry does not train security well in college courses or certifications, outside of those specifically designed for the Information Security discipline. Programmers rarely, if ever, get training on how to build code securely. If they do, there is often so much pressure to push code to production quickly that well-intended security procedures often get thrown out the Window in favor of speed to market. Not until security is demanded by consumers before purchase will this culture change holistically in Corporate America and in the education arena. 

In addition, implementing security controls across the IT infrastructure often built with duct tape and bailing wire produces unique challenges for most organizations. The lack of clear standardization in IT implementations, due to the sheer creativity that IT teams have been challenged with using in pushing new products, means that bolting-on security into existing computer infrastructures is often too costly or too time consuming, or both. As a result, most companies opt for vendor security tools that look good on paper but are often poorly mismatched with existing infrastructure at best and don't really deter hackers from compromising internal system assets. 

The reality is that investors need to be aware of the current security challenges for any company they consider putting money into. In addition to pouring over financial publications indicating awareness of cyber risk and costs, investors should consider the level of maturity a company has in the Information Security team, whether the company has a CISO with high level authority and how long that CISO has been on the job, and whether the company has high risk threats to the business model.

For example, if a company produces opinion content such as films, magazine, or advertising, they may be subject to geopolitical hacking as such hit Sony. If in the defense industry, companies may be at risk to stolen intellectual property from competing nation states. If in technology, companies may be subject to risk from industrial or nation state espionage. Many companies have multiple simultaneous threat profiles. Investors must recognize these security risks, much in the same way they recognize market and financial risks, in evaluating companies to add to their portfolios. Security risk is now a strategic risk to most businesses, whether they have internally acknowledged this fact or not. 

It is a brave new world for investors, fraught with many risks. A new one has emerged that should be considered part of standard due diligence for investors in today's market, but rarely is. 

If you are looking for investment ideas on how to play this security risk in the market, I'll have an upcoming article on some investment options that prosper when companies get hacked. Stay tuned!

The author is not invested in any funds mentioned in the article. 

How did you like this article? Let us know so we can better customize your reading experience.

Comments

Leave a comment to automatically be entered into our contest to win a free Echo Show.
Or Sign in with
Joel Santiago 10 years ago Member's comment

It tells me they should be paying attention to $WAVX and trusted computing solutions!