David Prosser: Sony's humiliation is a lesson to businesses all over the world

Click to follow
The Independent Online

Outlook There but for the grace of God... That ought to be the reaction of executives at companies the world over to the disaster that has befallen Sony. The hack on the Japanese company has been all the more excruciating for its hopeless failure to get to grips with the problem, but in their heart of hearts, most business leaders will admit they have not taken cyber crime sufficiently seriously.

Indeed, the blue-chip names that employ the American email marketing company Epsilon – including prominent British businesses – owe Sony a vote of thanks. The attack on it has overshadowed the theft from Epsilon of millions of their customer' personal details.

In Britain alone, cyber crime is now costing businesses more than £20bn a year according to the Office of Cyber Security and Information Assurance, an agency of the Cabinet Office. And those who specialise in combating this sort of threat say that many of Britain's biggest companies have only the most rudimentary of defences against cyber crime. Small and medium-sized enterprises are generally even less well-protected.

One problem is that expensive technology solutions often do not cover the most vulnerable part of a business: its workforce. Setting up hacker-resistant firewalls is one thing, ensuring there is no risk of employees leaving a laptop on a train, say, is quite another.

The growth of mobile devices is potentially dangerous too. Companies' networks may be well protected only for employees to unwittingly present hackers with an unlocked back door when using smartphones and laptops on insecure external networks. The coffee shop, with its free Wi-Fi, is increasingly the hackers' front line.

The UK Government has begun to address the problem, with increased investment in cyber security. But the true nature of the threat is difficult to assess: companies are often reluctant to admit they have fallen prey to this sort of attack and may not have to if customers' or contractors' data has not been compromised.

As a start then, the OCSIA would like to see a central reporting mechanism, so that businesses can report attacks to a single authority. That would at least give an accurate indication of what we are dealing with – and facilitate a more robust response.

Still, better information is only a start. For companies that do not take this issue seriously, particularly SMEs that might not consider cyber-security spending as cost-effective, the Sony scandal is the loudest wake-up call yet.