I can’t go online without seeing a Game of Thrones reference. HBO has invested hundreds of millions into building hype around this show, and with great return: Two episodes this season have broken ratings records for the cable giant, with Episode Five surpassing 10 million viewers.
But Game of Thrones is also in the news for two very different reasons.
The first: Action is heating up in Season 7, and fans are expecting plenty of ice and fire in the finale (no spoilers here). Each episode sparks water cooler talk for days, and it won’t stop as long as the jockeying for the Iron Throne continues.
Digital transformation has reshaped the world we live in. The digital world is not just where we can get our work done, but it’s now where organizations deliver value and a core element of business strategy.
But digital transformation has a dark side too. It has reshaped risk - as the data itself has a value that transcends the 1s and 0s that make it up. As we participate in this digital revolution, risk will be a constant companion.
We have mentioned before, and it bears repeating, that you can’t prevent 100% of breaches. In the media sector alone, we have seen recent breaches from HBO, Netflix, and more infamously, Sony Pictures. Each of them has revealed some critical lessons that all organizations can learn from.
Still, even with all of those strikes against them, Sony’s key failure is that it didn’t have a clear picture of what their critical data was, who could access it, where it was stored, or what could happen if any of it were to leak, either on accident or on purpose. Let’s pause for a minute and consider all the stolen data that could be considered the “crown jewels” at Sony.
Even with all the next generation firewalls, endpoint solutions, and security black boxes thrown at the situation, without a rudimentary understanding of their critical data, Sony didn’t stand a chance. Then, on top of it all, this lack of understanding meant that Sony didn’t have a clear response path.
Lessons: Compliance reports will show you where you have control weaknesses, but they won’t show you where your critical data is, how it is being handled (and by whom), and where it might go. And often, large segments of crown jewels data (embarrassing emails, film scripts, etc.) aren’t regulated at all. A clear understanding of your critical data is key, because you can’t protect what you can’t identify.
Most organizations have relationship with third parties at some level, whether through contract manufacturing, payroll, legal, cloud services, or even media production. This means that valuable data is traveling back and forth across the organizational perimeter and leaving the immediate control of the data owner. Organizations need to be keenly aware not only of this risk but of the implications.
In a bold move, Netflix refused to be blackmailed by the attacker, and the episodes were released. Netflix didn’t experience a decrease in viewership due to the release, but this is likely because the Venn diagram of “fans of the show” and “subscribers of Netflix” is pretty much all overlap (i.e., no incentive to download illegally).
Also, as is typical of Netflix, all new episodes are available on the release date, and viewers don’t need to wait for weekly episodes to continue the story. But had this been a wide movie release or typical episodic television, the impact could have been more severe. Still, Netflix made a value calculation when deciding how to respond, and it was quick to determine that they would not give in to the attacker’s demands.
Lessons: Organizations need to make their own determinations on the value of their data and game plan responses. Also, organizations should consider third parties when assessing crown jewels data and the protections necessary.
Media companies like HBO are in a bind. Their material has a short shelf-life. Most of the value for a new program will be captured not long after the release. The choice between allowing hackers to dissolve this value ahead of the release or paying ransom becomes a business decision.
Having a plan in place before an attack, however, is critical. This allows you to assess, improve, and manage this data commensurate with its value to the organization. While putting the focus on the data that is most valuable seems like common sense, it rarely plays out that way in the real world (with catastrophic consequences as the result).
HBO has also learned lessons these past few weeks about the Insider Threat. When employees of a partner company leaked a Game of Thrones episode online, HBO received another black eye.
Lessons: A persistent attacker will find a way through defenses. It’s up to the organization to have layers of security in the right places to neutralize the ability to take data critical to the business. And like Netflix, risk goes beyond the borders of the organization and into any contracted third parties. Any security plan must identify those risks; quantify them; and accept, mitigate, or transfer those risks.
(Images Source: https://giphy.com/)
Contact Focal Point today to find out how we can help you with your crown jewels assessment and reduce the impact of your critical data being stolen.