By Rachel Feintzeig, Clint Boulton and Joann S. Lublin
Damaging revelations emerging from the computer assault on Sony
Corp. are playing like a horror movie in America's executive
suites, prompting companies to review security measures and
reconsider what is said in an email.
Corporations long have dealt with hackers who went after their
trade secrets and customers' financial data. But the attack on film
studio Sony Pictures Entertainment Inc. that on Wednesday led it to
cancel a film debut took the possible consequences to a new level
by leaking financial data, secret details about coming films,
complaints about business partners and racially insensitive
comments about President Barack Obama.
The scale is causing executives who thought they had computer
security under control to sit up and take notice.
"Sony is Snowden, right?" said Bruce Schneier, chief technology
officer of cybersecurity firm Co3 Systems Inc., referring to the
former National Security Agency contractor who exposed reams of
embarrassing information about America's electronic spying efforts.
"It's someone getting in and getting everything."
Larry Pimentel, chief executive of Azamara Club Cruises, a
luxury cruise line owned by Royal Caribbean Cruises Ltd., said he
is more likely to pick up the phone or walk down the hall to meet
in person after hearing about the Sony breach.
"I was always thinking about hacking in terms of financial
stuff," he said. But the Sony incident made him realize that his
relationships and social interactions could be invaded too,
creating a new kind of discomfort and embarrassment.
Soon after learning of the studio breach, he reached out to
Royal Caribbean's information chief to learn more about the
company's cybersecurity profile, including details on passwords and
filters and access controls. He was satisfied with the answers and
took the executive's advice to keep employees up-to-date on
security protocols and concerns. At a quarterly meeting with his
top executives on Tuesday, he urged they take a lighter approach to
email.
"Say the facts, but be more gentle," he said he told them.
Faisal Husain, CEO of technology firm Synechron Inc., says he
has always been careful about communicating over email. But after
news of the Sony breach began emerging, he brought up the topic on
a weekly management call with his executive team. He urged the
group, the company's top 50 employees, to use the phone or schedule
in-person meetings if they need to address a conflict between
employees, tackle a tricky client situation or "speak very
openly."
The attack on Sony came at the end of a year marked by a
succession of data thefts at retailers. A long running intrusion at
Target Corp. last year exposed around 40 million credit and debit
cards. A similar attack at Home Depot Inc. this summer compromised
56 million cards. Shoppers have become inured to the breaches,
which also hit luxury retailer Neiman Marcus Group, crafts chain
Michaels Cos. and grocer Supervalu Inc.
The breach at Target helped topple the company's CEO and served
as a wake-up call for many companies. Still, the attack on Sony
appears more serious because sensitive, private information was
made public to discredit and damage the company and its executives,
Mr. Schneier said.
Stuart Kippelman, information chief at Covanta Energy Corp.,
said until the Sony incident, he had never been in a security
meeting and raised the question: Who is out to cause us harm?
"Whereas CIOs have traditionally thought generically about
security, going forward they will have to assess who their enemies
are," he said. "I think this changes the way every company should
think about security."
U.S. officials have concluded North Korea is behind the attack
on Sony, people familiar with the investigation said on Wednesday.
North Korea, which called the Sony comedy portraying the
assassination of leader Kim Jong Un an "act of war," has denied any
connection.
The bad news, said Charles Elson, a board member at HealthSouth
Corp. and Bob Evans Farms Inc., is there is little companies can do
to stop sophisticated, government-backed motivated attackers.
The weakest links in any corporation are the employees, said Tim
Arthur, chief information officer of Alltech Inc., an animal health
and nutrition science company based in Kentucky. That won't change
regardless of how many policies and procedures are put in place. He
wonders whether executives and other employees might start going
"anti-digital," reverting to conducting more conversations via the
phone than email.
Bonnie Hill, a director of Yum Brands Inc. and California Water
Service Group, echoed that point, saying the attack on Sony got
everyone's attention and is a reminder "that you don't use your
email for general, chatty conversations." She said she expects
boards to start asking more questions about what kind of
information is being kept and how safe it is.
"A sufficiently skilled, motivated and funded attacker will get
in, period," Co3's Mr. Schneier said. Companies must continually
improve security with layers of defense that include intrusion
prevention, detection and incident response, he said.
"This is going to take years to unwrap," Mr. Schneier added.
"Now every company is thinking, 'What would it be like if
everything in our company was made public?' "
Access Investor Kit for Sony Corp.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=JP3435000009
Access Investor Kit for Sony Corp.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US8356993076
Subscribe to WSJ: http://online.wsj.com?mod=djnwires