Lessons from the PlayStation attack

[By Neil Campbell]

The news that Sony has discovered an attack against its PlayStation Network servers, leading to the potential theft of the data of 77m users, sends a strong message to the business community. IT security risks are not theoretical: they are real and they happen all too regularly.

Organisations should continually monitor their IT infrastructure, not only for threats but for new approaches to managing threats.

Though little detail is available yet about the attack, organisations need to recognise that people can be both their strongest and the weakest link when it comes to IT security and continually invest in security awareness training, building strong and well-managed security processes, and backing up those processes with technology fail-safes wherever possible.

IT security risks are not theoretical, they are real. They are realised all too often and their impact is felt by both customers and the organisation involved. That said, there’s no such thing as perfect security and the security failures that are allowing these breaches to occur are due to a number of different factors.

One of the IT security industry’s core beliefs is that the only way to secure a computer properly is to turn it off and lock it in a vault. Anything else involves real risk. If we look at a simple risk management model, it involves listing the threats that face a given asset, then assigning a frequency (which determines the likelihood that a risk will be realised in a given period) and an impact (generally the financial impact).

This provides a risk score that can then be used to manage the risk appropriately in the context of the other risks and the resources and options available to manage them. If there is no frequency there is no risk. If there is no impact there is no risk.

Given the large number of data breaches that have occurred, this could point to a breakdown in one of three areas:

  • Organisations are misjudging the risk by failing to understand the frequency or the impact.
  • IT security is so fast-moving and complex that even with appropriate measures the controls are being rapidly invalidated.
  • There’s an inherent problem with the controls in the first place.

While the precise method by which the hacker broke into the systems has not been revealed, the answer will probably be found somewhere between the three. Although there’s no perfect answer, organisations should keep these three considerations in mind.

IT security risk is often underestimated. When budgets are tight, security can be cut without an immediately obvious impact on the deliverables. IT security is also a very fast-moving area involving what amounts to an arms race — the best illustration of which can be found in the struggle between zero-day exploits and patches. And there is indeed an inherent problem in the controls that are being applied: they generally rely upon people following processes, and that is one of the most difficult challenges to address.

Companies must accept that IT security risks are often realised and the impact can be huge, not only to the organisation itself but to customers who placed their trust in them. Although data breaches will continue to occur, the goal must be to reduce the frequency and impact of those breaches.

  • Neil Campbell is Dimension Data’s global GM for information security

Share this article

  • Mamelodi

    No real insight here. Just an opportunistic press release.

  • Brett

    Perhaps, but it bears saying though. Too often security is overlooked as nothing more than an expense.

Why TechCentral?

We know that as a prospective advertiser, you are spoilt for choice. Our job is to demonstrate why TechCentral delivers the best return for your advertising spend.

TechCentral is South Africa’s online technology news leader. We don’t say that lightly. We believe we produce the country’s best and most insightful online tech news aimed at industry professionals and those interested in the fast-changing world of technology.

We provide news, reviews and comment, without fear or favour, that is of direct relevance to our fast-expanding audience. Proportionately, we provide the largest local audience of all technology-focused online publishers.

We do not constantly regurgitate press releases to draw in search engine traffic — we believe websites that do so are doing their readers and advertisers a disservice. Nor do we sell “editorial features”, offer advertising “press offices” or rely on online bulletin-board forums of questionable value to advertisers to bolster our traffic.

TechCentral, which is edited and written by award-winning South African journalists, cares about delivering top-quality content to draw in the business and consumer readers that are of most interest to technology advertisers.

We’d like the opportunity to demonstrate the value of directing a portion of your advertising budget to TechCentral, whether your company is in the technology field or not. Numerous opportunities exist for companies interested in reaching our audience of key decision-makers in South Africa’s dynamic information and communications technology sector. We offer packages that will deliver among the best returns on investment available in the online technology news space.

For more information about advertising opportunities, and how your organisation can benefit by publicising itself on TechCentral, please call us on 011-792-0449 during office hours. Or send us an e-mail and ask for our latest rate card and brochure.