The cyberattacks on Sony Pictures in response to a movie that depicts a plot to kill North Korean leader Kim Jong-un should serve as a wake-up call in the digital age for companies that have hitherto been lax on information security.
“That is the major takeaway for companies who are watching this train wreck and breathing a sigh of relief that it wasn’t them,” according to Andrea Matwyshyn, a law professor at Princeton University. The hacking has been a “public relations nightmare,” for Sony, adds Wharton marketing professor Pinar Yildirim, as leaks of internal communications have fractured relationships and cast major Hollywood players in an unflattering light.
The two experts discussed the likely fallout on the Knowledge at Wharton show on Wharton Business Radio on SiriusXM channel 111. (Listen to the podcast at the top of this page.)
Sony’s latest troubles began as it prepared for a Christmas release of The Interview, a satirical comedy about the attempted assassination of the North Korean leader. An angry North Korea wanted Sony to can the movie, and its state news agency threatened to target “all the citadels of U.S. imperialists” if the movie was released. In recent weeks, hackers broke into Sony’s systems and leaked troves of company files and emails. The hackers warned of 9/11-style attacks, which led major movie theater chains and cable broadcasters to decline to screen the movie.
“The reality of the digital age is that intangible assets matter at a whole new level now.”–Andrea Matwyshyn
Hands tied, Sony last week canceled the Christmas release of The Interview. The Federal Bureau of Investigation blamed North Korea for the hacking, but the dictatorship denied it and called for a joint investigation with the U.S. The situation escalated with President Barack Obama stating that the U.S. “will respond at a time and place and manner that we choose,” and North Korea warning of “grave consequences” if the U.S. were to do so.
For Sony, the fallout goes far beyond battling accusations from freedom-of-expression activists that it caved to demands from hackers. The 38 million files hackers stole and distributed on file-sharing sites include screening versions of five forthcoming films and the script of a new James Bond movie, in addition to Sony executives’ emails, and salary and other personal information. “[The consequences] may go beyond the movie…. [Sony] may face lawsuits for not protecting employee information,” said Yildirim. “So it is a much worse nightmare for Sony.”
A Multi-Faceted Threat
“It’s been an enterprise-wide, multi-technology faceted attack,” Matwyshyn said of the hacking. “I hope [companies] will go back to their chief security officers to see what they can do to ensure this doesn’t happen to them.” She added that companies must create processes to ensure on an ongoing basis that they are vigilant and prepared not only to prevent such cyber attacks, but also to contain the damage once it is underway. “It can only happen proactively with the cooperation of not only the IT staff [at companies]; it has to come from the top.”
Companies across the entertainment industry must be “scurrying today making sure all their processes are squared away and up-to-date,” said Matwyshyn. Yildirim agreed that “many of the movie studios must be thinking of protecting themselves.”
Across a broader spectrum, Matwyshyn said companies must have a board member in charge of strengthening their IT security systems. “Particularly for more traditional companies, this is a real challenge — it is a cultural shift that needs to happen,” she noted. “It can’t happen overnight and it is a somewhat painful process. But the reality of the digital age is that intangible assets matter at a whole new level now.”
Many companies in the entertainment industry may already be in the sights of hackers, warned Matwyshyn. “Chances are you are already on the radar of many different people who may already be setting up malware in your networks and just hanging out and waiting for the right time to spring their desired attack,” she said. “If you don’t have [security controls] in place, you are a sitting duck. It is only a question of when and how severe it will be.”
“The message to the broader movie community is to avoid making [such potentially controversial] comments, especially on the Internet.”–Pinar Yildirim
A loss of trust is another casualty companies could face if their security systems are weak. Yildirim cited the damage-control moves by Sony Pictures’ co-chair Amy Pascal after the hackers released her emails on James Bond candidates and other sensitive information. “It could have long term impact on trust with [Pascal],” she said. “The message to the broader movie community is to avoid making [such potentially controversial] comments, especially on the Internet.”
Matwyshyn said the impact would have been “devastating” if the leaks had involved a company’s sensitive research and development information, and that it should be a call for action. “If the basics of due care aren’t visible in your enterprise from the top down in terms of security, you will have a really hard time explaining why the losses are so devastating to your shareholders, to your board, to the outside public,” she said. A hacking incident similar to Sony’s may also put off future business partners “who may perceive your business to be run sloppily, and may not want to do business with you in the future and trust their sensitive information [with you],” she added.
An Unsophisticated Attack
According to Matwyshyn, the Sony breach was “not actually a very sophisticated attack because many pieces of the malware and the ways they compromised the systems are well known in the information security industry,” she said. She speculated that the perpetrator of the attacks could have been some “IT criminal enterprise” or a bunch of “disgruntled IT administrators that were fired and want to do reputational and financial harm to the company.”
The only plus of the Sony hacking from the company’s perspective could be a heightened interest among moviegoers to go see The Interview. “Studies show that if movies are pirated closer to the release date and if they are in file sharing environments, it might increase demand for the movie,” said Yildirim. She predicted that after some time has passed, Sony may screen the movie, or parts of it, or that a bootlegged version will surface.