Sony's Security Snafu: How Other Companies Can Make Hay of Its Total Cock-Up

Last Updated May 3, 2011 1:39 PM EDT

With yet an additional potential security breach of nearly 25 million user accounts, Sony (SNE) has really stepped in it. Attackers may have stolen 12,700 credit card numbers and 10,700 direct debit records, which means bank account numbers. But the utter mess that Sony made of its data protection is potentially good news for companies that want to capitalize on real, not pretend, data security.

To call Sony's response inept would be an insult to inept corporations. First, the company pretended that its online service was down. When Sony finally admitted a breach, management said that no credit card numbers were compromised. Now the breach is even larger, stretching to nearly 100 million accounts, and credit card and bank account numbers are involved.

Anyone believe that no other losses will appear? And why, in heaven's name, did Sony wait until Sunday to say it would improve security? Wouldn't you think that it might have decided better measures were a good idea immediately after it learned about the break-in? (And how did additional people break in if Sony shut down its entertainment network as it claimed?)

Sony is no outlier
Unfortunately, Sony is no anomaly. Many companies have fallen prey to hacking. That's why 85 percent of consumers think that online fraud is getting worse. People are losing faith that corporations can safely hold data.

That opens the possibility of addressing that fear as a way to attract customers. Unfortunately, some companies are trying to take advantage of the Sony break-in, but in the most shameful ways. Look at the press release that Equifax is currently circulating, suggesting that consumers need a credit monitoring program in addition to contacting their financial institutions and putting a fraud alert on their credit files. This is disingenuous for a number of reasons:

  1. Equifax is only one of three major credit reporting agencie, so it isn't privy to all activity.
  2. As I learned from editing the book The Complete Idiot's Guide to Recovering from Identity Theft by expert attorney Mari Frank, you need to place a credit freeze on your accounts, not just a fraud alert. That prevents anyone from opening new accounts.
  3. Credit agencies only know of fraud after creditors report it. Properly working with financial institutions is the only way to stop what might be happening now. By the time the agency hears of a problem on an existing account, it's too late.
  4. There are so many other potential ways that criminals can implement identity theft that contacting financial institutions and getting your credit reports may be only the start of a much longer process.
There are no quick solutions for identity theft after it happens, and fixing a problem can take anywhere from months to years. It literally does take an entire book to lay out the complexities and the steps you might need to take.

Equifax has taken what seems a cynical approach. Yet, it has the right idea, given that story after story of security breaches does open an opportunity for companies to address consumer concerns. To take the advantage, though, management needs to understand that to consumers, security simply doesn't exist:

  • You can only implement security in advance. Once data is compromised, it's gone and you can't get it back.
  • Consumers must take the word of companies about their security, because there is no independent way to verify it.
  • Given the range of organizations -- including supposed experts in security -- that have fallen to exploits, there is no way to know in advance which ones actually implement the security that is necessary, so consumers can't even make reasonable guesses.
The advantage to a company is to convey to consumers how it really is different. That would take 3 steps:
  1. Concentrate the resources necessary to build reliable security, not just a verisimilitude of it. That doesn't mean installing security products, but changing IT practices and infrastructure to to practice security. (Yes, someone really does have to install all the security patches that come out.)
  2. Contract with consultancies to do major, regular security testing at least quarterly, and, preferably, monthly. The only way to avoid security weaknesses is to identify them before someone has a chance to exploit them.
  3. Release regular public status reports, indicating what the company has found and what actions it has already taken to eliminate the problems.
The last step would probably be the most painful for corporate egos, but given the general level of insecurity in the news, honesty is the best public-facing policy. And talk about a goad to take the necessary steps before people learned that you needed to.

Related:

Image: Flickr user sfslim, CC 2.0.
  • Erik Sherman On Twitter» On Facebook»

    Erik Sherman is a widely published writer and editor who also does select ghosting and corporate work. The views expressed in this column belong to Sherman and do not represent the views of CBS Interactive. Follow him on Twitter at @ErikSherman or on Facebook.