Sony hack and Risk Management.

The hacking of Sony pictures computer systems is only the latest of a long series of hacking attacks on commercial and government systems. This one became “big” news because it resulted in the release of derogatory comments about celebrities and culminated in the withdrawal of a movie because of threats to cinema chains. 

What has been overlooked in all of the public furore about who the hackers actually were, who slagged who off, and the cancellation of the film’s launch, is the reported poor state of Sony’s computer systems security. Some 3 years ago hackers gained access to the accounts of 77 million paying users of their Play Station network. Improvements were promised. This year both their German and Brazilian networks have been penetrated. Also they allegedly stored all their key passwords in a file called, wait for it, “Passwords” - ‘oh deary me’ as my grandmother would have said - talk about making the hackers job easy! Computer security would appear to have been a low priority for someone at Sony. 

Bad enough that sophisticated hackers should attack your system without you aiding and abetting their efforts with poor security.

The alarming fact is that Sony are probably no better or worse than most large companies. The lack of basic encryption, poor password standards, and lack of effective system monitoring are common place. Any decent risk plan should address hacking and have detailed actions of how the system is to be protected. 

I would not be surprised if somewhere in all of these corporations there are reports that show that these problems exist and also Potemkin spreadsheets that also show that there is no problem. No prizes for guessing which documents the Board has been seeing!

Risk and its consequences

This week I came across two examples of risk. One avoidable, one happenstance.

My wife is a ceramic artist and she shares studio space in an old factory building. This week she received the news that the water main supplying the sprinkler system had burst and flooded her studio to a depth of thirteen inches. Partially submerging her potters wheel and her electric kiln. To compound her misfortune she'd left her laptop on the floor, only the third time she'd left it in the studio. As I write we are drying it out: more in hope than expectation. The rupture of the main and the damage to the laptop come under the heading of happenstance or sh*t happens.

The second incident was reported in the UK and it concerned the computer system failure of the Royal Bank of Scotland (RBS). This failure resulted in some of its customers being unable to gain access to their accounts for up to three weeks. This week the bank was fined $90M by the UK's financial regulator. This fine was in addition to the $112M it paid out in compensation to bank customers and $168M cost of staff overtime to fix the problems. All told the error cost the bank $1.2B!

The reported cause of the error was deemed to be the incompatibility of their old, as in ancient, computer code and their new mainframes, an issue that had apparently been highlighted in a previous audit report but not fully addressed. Now this organization has an annual IT budget of $1B. So money wasn’t necessarily the prime cause, but poor risk assessment surely was. This incident definitely comes under the heading of avoidable. The worrying thing is that there are an awful lot of corporations who are in the same boat, with old code and a lack of willingness to fix it. Tick Tock, Tick Tock, goes the time bomb.