What the Sony hacking scandal means for boards

At every board meeting this month someone is bound to ask, either during the meeting or in a quiet aside, “Could we be the next Sony?”

They’ll be referring to the fact that Sony Pictures was recently hacked, with thousands of documents and files purloined and put into the public domain.

People are still wading through the documents, but, so far, a great deal of company confidential information has been revealed, ranging from salaries and internal company presentations to detailed financial reports, passwords and even upcoming films.

Nothing focuses the collective mind of a board on a problem such as cybersecurity as having a high profile exemplar that scares them into asking tougher and more pointed questions.

I will be amongst those asking that “check on data security” be added to our agendas under the AOB (any other business) section of risk committee meetings and board meetings.

Several components of this recent event are alarming to board members.

First, it is the seeming ease with which the hackers entered the system. There are still questions around who is really behind the cyber-attack. Speculation ranges from state-sponsored hacking by North Korea over discontent surrounding an upcoming Sony Pictures film, The Interview (North Korea denied involvement), to hacktavists who may have had some sort of assistance from the inside. If it is an external hacker, that means that Sony Pictures hasn’t put in place sufficient deterrents to keep the company safe. If it is a group with inside assistance, that is even more alarming in some ways. Board members and executive teams will want to know how you can defend against that threat.

The second disquieting component is the sheer volume and type of documents that are being released into the public domain. All executive teams and boards worry when company confidential documents are made free for anyone to see. Thus far we’ve seen the documents being scrutinised for everything from salary disparities to medical records of employees at the company. This leaves the company open to an extraordinary amount of liability on many levels. The legal department will be busy for months, possibly even years, to come.

One thing is very clear: At a time when so much of business is based in the cloud, and every part of a company’s confidential details can be found there, companies need to be more vigilant than ever.

I’ve talked ad nauseam to fellow board members about cybersecurity as a priority on the agendas of today’s board room. Many are only just now beginning to understand how much companies depend upon this technology. The news of the Sony Pictures hack, and the fall-out that will come as a result, will do much to clarify this in stark terms. If board members didn’t understand the importance of cybersecurity before, they will certainly understand it now. Chief Information Officers and technology teams better buckle up — they are in for a bumpy couple of months of questioning.

This column is from Above Board with Lucy Marcus, which illuminates how boards work, the consequences when they don’t work, and how they can succeed. To receive alerts from the BBC about new Above Board with Lucy Marcus columns, please subscribe here

Date

15 December 2014

What the Sony hacking scandal means for boards

Notebook Archive