Risk Insider: Jack Hampton

Cyber Security: Don’t Pay for a Landslide

By: | May 16, 2016

John (Jack) Hampton was a Professor of Business at St. Peter’s University, a core faculty member at the International School of Management (Paris), and a Risk Insider at Risk and Insurance magazine where he was named a 2018 All Star. He was Executive Director of the Risk and Insurance Management Society (RIMS), dean of the schools of business at Seton Hall and Connecticut State universities, and provost of the College of Insurance and SUNY Maritime College in New York City.

At 8 p.m. on the evening of the 1960 presidential election, the television news networks reported Republican Richard M. Nixon leading Democrat John F. Kennedy by more than 400,000 votes in Illinois. The Chicago precincts were not included in those early figures.

When those precincts finally sent in their totals — very late that night — the voting tally produced a 9,000 vote margin for JFK and victory in the presidential race.

The announced “turnout” by the Daley political machine in Chicago was a historic 89 percent.

Thirty years later, allegations surfaced that mob boss Sam Giancana helped rig the election, partly by using money from Joseph Kennedy, the father of the incoming president.

After the 2011 breach, we might ask, “Did Sony have second thoughts about what it should spend on cyber security?”

We also became familiar with an alleged quote by the senior Mr. Kennedy, “Don’t buy a single vote more than necessary. I’ll be damned if I’m going to pay for a landslide.”

Cyber security today reminds us of the Joe Kennedy philosophy in Chicago in 1960.

The issue was succinctly expressed in 2007, when the executive director of information security at Sony Pictures reportedly said, “It is a valid business decision to accept the risk of a security breach. Sony would not invest $10 million to avoid a possible $1 million loss.”

Subsequently, a Sony unit experienced a destructive 2011 cyber attack that brought down its systems for 24 days and compromised personal details and other data on 77 million user accounts.

The attack resulted in more than 50 class action lawsuits, and caused a financial loss in the hundreds of millions of dollars.

In 2014, hackers struck Sony Pictures again. They lit up Sony websites with annoying sounds and threatening pictures, stole or erased software and data on 4,000 computers and servers, and publicly released completed and unreleased movie films, unfinished movie scripts, embarrassing emails, and salary data and Social Security numbers for 47,000 employees.

The event represented another loss in the hundreds of millions.

After the 2011 breach, we might ask, “Did Sony have second thoughts about what it should spend on cyber security?”

The evidence is not comforting, at least when we consider a lengthy July 2015 investigative article in “Fortune” magazine that documented a failure in the risk management culture at Sony Pictures.

A few days before the attack, Sony requested a meeting with a “threat-intelligence” firm to discuss protecting Sony against computer and system hacking.

A four-man team from Norse Corp. were sent to a room in the IT building that had unattended computers logged in to Sony’s international data network.

The magazine learned Sony Pictures assigned only 11 people to its information security team. The team consisted of a senior vice president, executive director, three directors, three managers and three information security analysts.

The presence of two high-ranking officers on the team seems to indicate top management interest in cyber security, but “Fortune” described problems with the personalities of Sony leaders and conflicts between U.S. and Tokyo executives.

The presence of only three security analysts seems to be inadequate for such a complex and visible organization, with 6,000 employees, $7 billion in revenues and dozens of subsidiaries and joint ventures.

At this point we could analyze the problems and suggest solutions. That would be redundant.

Suffice it to conclude that Sony needed a stronger and more proactive risk-awareness culture in 2007, 2011 and 2014. We don’t know if changes have been made. We can offer encouragement that is good advice for any organization evaluating its cyber risk management activities.

“Sony, don’t pay for a landslide but buy enough ballots to win.”

More from Risk & Insurance

More from Risk & Insurance