News emerged this morning from Sony that it plans to spend $15 million on cyber security defences, only months after suffering a devastating cyber attack.
The financial statement says that Sony Pictures has a forecast of 890 billion yen ($7.6 billion) in total sales, suggesting that the $15 million outlay on defences against an attack that closed the company down and forced employees to use pen and paper and off corporate networks, is a tiny outlay.
Andrew Barratt, European managing director of Coalfire, told IT Security Guru that the amount is a “painfully small amount when you look at a company that generates billions ($) in revenue per year”, and he suggested that $15M out of $8BN is less than one per cent.
So how much can you spend to get yourself out of danger? Is that even possible? We asked some industry minds on what they thought to the news.
Andrew Kellett, principal analyst, security at Ovum
“Several horses have already bolted, but to continue with that analogy, Sony failed to repair the fence after the first one escaped and the security vulnerabilities remained. Beyond that the “spend more on security” approach has to be seen as reasonable.
“Our research shows that just over 50 per cent of organisations have plans to spend more on security this year, 40 per cent plus will spend at least the same. Only seven per cent think they can afford to spend less and I would really like to know who they are.
“That said, Sony also needs to focus spending on their security intelligence and security management activities to try to ensure that the embarrassing elements of the last security breach are not repeated.”
Russ Spitler, vice president at AlienVault
“Sony Pictures had a gross revenue of $8B for the fiscal year of 2014. Assuming this $15M number is a quarterly budget and not a one-time cost, that brings their projected annual cyber security budget up to $60M for 2015. With the assumption of about 3.5 per cent of revenue spent on IT (according to Gartner) this means they are spending $60M out of a total IT budget of $280M bringing them to about 20 per cent of their IT budget spent on security.
“This is in line with the best out there (financial services), if it is a one-time cost then they are spending about five per cent of their IT budget on security which is the industry average (also according to Gartner). However, when increasing spending then other issues may arise as Sony tries to expand its internal expertise.
“It is a great start, however it is not an indicator that they will be able to successfully migrate that transition. They obviously have a big hole to dig out of and a lot of technology to get in place, but you would hope of all the executive teams out there, this one knows the personal price of poor security and has good motivation to see this effort through.”
Dave Larson, CTO at Corero
“Organisations like Sony that rely on conducting their business online must respond to this escalating cyber threat proactively, with dedicated solutions for proper mitigation. Specifically, investing in proactive technical defences against DDoS attacks and cyber threats to prevent attackers from achieving their goal of disrupting or compromising the business should be a key driver in cyber security spend within the organisation.
“Beyond the investment in security solutions, reactive response plans should be developed and put in place to minimise the disruption caused by an attack that penetrates your defences – or is suspected of compromising your systems.”
Rob Sobers, director at Varonis
“There are certain technology problems that you can simply throw money at. For example, if you want to make your server run faster, you can load it up with the best solid-state drives and gobs and gobs of RAM. Voila! Faster server.
“You absolutely cannot, however, buy security. Investing in security technology and in staff is extremely important, but behind that investment needs to be a sound methodology for protecting your company’s data. Time and time again we see companies with excellently equipped security teams fall victim to very basic, unsophisticated vulnerabilities, like accidentally emailing a sensitive file to the wrong person.”
Bob Tarzey, analyst and director at Quocirca
“According to the figures, the remediation costs are dwarfed by expected loss of sales. That said, it is not clear what the “remediation” costs are for, is this just clearing up the mess or actually improving security? Anyway, it may be closing the stable door after the horse has bolted, but then if you are planning to buy another horse, it still needs doing.”
TK Keanini, CTO of Lancope
“The cost of this incident was massive and $15 million is a good start when you consider a single movie may cost much more than this to produce. Let’s not forget that this is just Sony Pictures, there is also loose ends to shore up across the Playstation Network as it was down during Christmas day as folks tried to play their new games.
“Businesses worldwide need to stop and really pay attention to what happened here from a business perspective. Consider the threat and ask yourself what you have in place today to ensure business continuity when this inevitably happens to you. We as a business, as partners, as consumers are all facing a very real threat and all must do our part to raise the cost to these adversaries.”
Mark James, security specialist at ESET
“Having the money available is great, but it needs to be used in the right way and that includes making sure staff are educated on good policies and practices – just throwing huge sums into security is only one part of the solution. It is good to see them investing in securing our data, as long as a good portion of this money is being invested in staff training and education along with making sure that data is properly encrypted and continually monitored.
“Whilst £15m seems a lot of money
when you take into account their earnings for the year it is a relatively small amount but none the less makes a very good statement of their intentions, and as Sony relies on its customers to make its money, protecting our data should be one of its most important jobs.”
Tim Erlin, security researcher at Tripwire
“When it comes to security, the proof is in the pudding. $15M is just a number, and it could be spent on techie toys as easily as on foundational controls. It will be a long time before we know if their response was effective or not.
“While the number may or may not be accurate, it’s useful for the industry as a whole to see what cost an organisation like Sony puts on this kind of incident.”
Martin Lee, cyber crime manager at Alert Logic
“Published incident costs are only part of the whole cost. Companies need to consider the indirect costs of loss of reputation following a breach and the loss of sales as consumers and partners prefer to take their business to organisations that are perceived as being at lower risk.
“Spending a fraction of the amount that may be spent dealing with a major breach on monitoring and rehearsing the response to a breach means that when an attack is successful, the company is prepared and the incident is resolved. Otherwise, we risk spending more and more money fixing issues long after they’ve been exploited and clearing up the mess. The only people that will win in this scenario are the attackers, and the incident responders.”