After this recent turmoil, you would be forgiven for thinking that Sony's finances would be reeling. However, this is far from the case: indeed, the Japanese giant's share price is 135 points higher (Dec 1st 2014: 2640, Jan 29th 2015: 2775) than at the start of a seemingly disastrous December. Perhaps the breaches might finally act as a wake-up call to the large collection of companies with insecure networks, looking to avoid the weeks of continued bad publicity. However, if a corporation can sustain such a strike and overtake their previous share price in only 50 days (Dec 5th 2014: 2677, Jan 23rd 2015: 2737), then is there really an incentive to invest in cyber security?
The security issues at Sony are anything but recent: in 2011, 77 million customer accounts were spilled over the Internet in a much-publicised breach. At this point it was discovered that employees were using passwords such as “s0ny123” (not an uncommon practice), and that account details were stored unencrypted. After claiming outage costs of $171m and facing mass criticism for the week-delay before informing customers, 3 years later you would expect security to be a greater priority.
There are no simple solutions. Sony is a large, multinational corporation with a network stretching across the globe, accessed by hundreds of thousands of employees. Ensuring total security is impossible and intrusions are naturally bound to happen. However, there does seem to be an underinvestment that needs to be addressed: Sony shall continue to be targeted until their defences are improved.
I have some sympathy with their rationale. Security decisions are a cost-benefit analysis: why implement a defensive measure costing £500 if you only stand to lose £400? Whilst Sony have been dragged through the papers and ridiculed by the security community, if their shareholders care that little about the incident then it makes little economic sense to change policies.
At least we can hope that the new EU General Data Protection Regulation shall alter the equation for European firms: a €100m fine would surely make an executive think twice about connecting an insecure USB stick. For companies to take security seriously it must affect their bottom line and unsettle their shareholders; currently the incentives just don't add up.