Sony's £9.8 million security investment 'a painfully small amount'

News emerged this morning from Sony that it plans to spend $15 million (£9.8m) on cyber security defences, only months after suffering a devastating cyber attack.

The financial statement says that Sony Pictures has a forecast of 890 billion yen (£5bn) in total sales, suggesting that the $15 million (£9.8m) outlay on defences against an attack that closed the company down and forced employees to use pen and paper and off corporate networks, is a tiny outlay.

Andrew Barratt, CEO of Coalfire, told IT Security Guru that the amount is a “painfully small amount when you look at a company that generates billions ($) in revenue per year”, and he suggested that $15m (£9.8m) out of $8bn (£5.3bn) is less than one per cent.

So how much can you spend to get yourself out of danger? Is that even possible? We asked some industry minds on what they thought to the news.

Andrew Kellett, principal analyst, security at Ovum

“Several horses have already bolted, but to continue with that analogy, Sony failed to repair the fence after the first one escaped and the security vulnerabilities remained. Beyond that the “spend more on security” approach has to be seen as reasonable.

“Our research shows that just over 50 per cent of organisations have plans to spend more on security this year, 40 per cent plus will spend at least the same. Only seven per cent think they can afford to spend less and I would really like to know who they are.

“That said, Sony also needs to focus spending on their security intelligence and security management activities to try to ensure that the embarrassing elements of the last security breach are not repeated.”

Dave Larson, CTO at Corero

“Organisations like Sony that rely on conducting their business online must respond to this escalating cyber threat proactively, with dedicated solutions for proper mitigation. Specifically, investing in proactive technical defences against DDoS attacks and cyber threats to prevent attackers from achieving their goal of disrupting or compromising the business should be a key driver in cyber security spend within the organisation.

“Beyond the investment in security solutions, reactive response plans should be developed and put in place to minimise the disruption caused by an attack that penetrates your defences – or is suspected of compromising your systems.”

Rob Sobers, director at Varonis

“There are certain technology problems that you can simply throw money at. For example, if you want to make your server run faster, you can load it up with the best solid-state drives and gobs and gobs of RAM. Voila! Faster server.

“You absolutely cannot, however, buy security. Investing in security technology and in staff is extremely important, but behind that investment needs to be a sound methodology for protecting your company’s data. Time and time again we see companies with excellently equipped security teams fall victim to very basic, unsophisticated vulnerabilities, like accidentally emailing a sensitive file to the wrong person.”

TKKeanini600x350

TK Keanini, CTO of Lancope

“The cost of this incident was massive and $15 million (£9.8m) is a good start when you consider a single movie may cost much more than this to produce. Let’s not forget that this is just Sony Pictures, there is also loose ends to shore up across the Playstation Network as it was down during Christmas day as folks tried to play their new games.

“Businesses worldwide need to stop and really pay attention to what happened here from a business perspective. Consider the threat and ask yourself what you have in place today to ensure business continuity when this inevitably happens to you. We as a business, as partners, as consumers are all facing a very real threat and all must do our part to raise the cost to these adversaries.”

Mark James, security specialist at ESET

“Having the money available is great, but it needs to be used in the right way and that includes making sure staff are educated on good policies and practices – just throwing huge sums into security is only one part of the solution. It is good to see them investing in securing our data, as long as a good portion of this money is being invested in staff training and education along with making sure that data is properly encrypted and continually monitored.

“Whilst $15m seems a lot of money when you take into account their earnings for the year it is a relatively small amount but none the less makes a very good statement of their intentions, and as Sony relies on its customers to make its money, protecting our data should be one of its most important jobs.”

Tim Erlin, security researcher at Tripwire

“When it comes to security, the proof is in the pudding. $15M (£9.8m) is just a number, and it could be spent on techie toys as easily as on foundational controls. It will be a long time before we know if their response was effective or not.

“While the number may or may not be accurate, it’s useful for the industry as a whole to see what cost an organisation like Sony puts on this kind of incident.”

Martin Lee, cyber crime manager at Alert Logic

“Published incident costs are only part of the whole cost. Companies need to consider the indirect costs of loss of reputation following a breach and the loss of sales as consumers and partners prefer to take their business to organisations that are perceived as being at lower risk.

“Spending a fraction of the amount that may be spent dealing with a major breach on monitoring and rehearsing the response to a breach means that when an attack is successful, the company is prepared and the incident is resolved. Otherwise, we risk spending more and more money fixing issues long after they’ve been exploited and clearing up the mess. The only people that will win in this scenario are the attackers, and the incident responders.”

The post Sony spends $15 million on security – industry views appeared first on IT Security Guru.