What is known publically about Sony is that they are a for profit company dealing in a digital medium with obvious devastating impact for unauthorised access to their products.
“They have every motivation to pour a lot of resource into protecting their lifeblood,” adds Proctor, before questioning; “But what about their administrator’s behaviour?
“Dumping sensitive data into unprotected text files is a practice as old as time and I have seen it at many companies.
“This is typically the result of administrators who have a job to do. If you need access to 50,000 passwords, this is a convenient way to get it.
“Sure it is against policy. Sure it is risky. But what’s the probability of a pervasive and comprehensive attack that will compromise such a file?”
Proctor believes risk and security programs have a lot of priorities and employees ignoring policy has not been at the top of the list.
As a result, he bucks the trend in claiming that Sony security should not be lambasted for “doing exactly what they should have been doing”, which is, according to Proctor, “focusing limited resources on the most important assets in the company.”
“If you want to cast the first stone, you better consider your own glass house,” he adds. “Basically, every enterprise has this problem with people and behaviour.
“Everyone reading this has unencrypted files in their company with sensitive data.”
However, the Sony hack changes the game. If North Korea is involved, a nation state attacking an enterprise with malice creates a very different security problem with user behaviour that will not be solved by technology.
“Security programs and user education need a boost with special attention on these risky practices for convenience,” Proctoer says.
“Simple behaviour changes will do more to protect your enterprise than spending millions on complicated technology that will make users miserable.
“Users will immediately seek to bypass poorly conceived technical solutions and put even more data at risk. Avoid this outcome.”
