Sony’s reaction to the 2014 cyberattack that interfered with its planned release of the movie comedy, The Interview, is a good case study on how a cyberattack can affect a big release. Sony had planned a Christmas Day release of the comedy, which dealt with a fictional attempt to assassinate North Korea’s president. Sony had implemented some protection against cyberattacks in response to previous cyberattacks on its business, but those defenses failed to stop a late November hack into its systems that included personal threats against the CEO of the company’s movie production division. As the attack continued, Sony lost tens of thousands of stored documents, lost substantial amounts of data on internal servers and saw other servers completely destroyed. The attack culminated with threats against theaters that planned to show the movie and Sony’s decision to cancel the movie’s Christmas Day release.
Sony was sufficiently well-financed to recover from the attack. Other companies that had less adequate protection against cyberattacks did not fare as well. In 2011, the Australian domain name company, Distribute.IT, suffered an attack that destroyed the company. Earlier that year, the nine-year old company had expanded its operations into Asia and was preparing further initiatives that would continue and expand its average 4 percent yearly growth. The cyberattack, which continued for more than two weeks, took the company’s servers and systems down and prevented resellers of its products from doing any business. Customers fled from the company, leaving its founders with no option but to shut down.
The cost of a new big release can be anywhere in the range from $100,000–$1.5 million. Companies that fail to implement any protection against cyberattacks will risk losing not only those costs, but as demonstrated by the Distribute.IT cyberattack, they can also lose their entire business as news of the attack spreads and customers defect out of concerns over their own businesses and the privacy of their data. One sustained cyberattack has the potential to eradicate any big release and to impose other excess costs on a business:
- As happened to Sony, documents, data, and servers can be erased or destroyed;
- Stored customer information can be leaked, exposing a business to liability to third parties whose personal and financial information has been compromised;
- A business’s good will and reputation that took years to create can be eroded in a matter of days or weeks;
- Confidential and proprietary trade secrets and intellectual property can be leaked to competitors or generally to the public.
Before proceeding with any big release, a business should take measures to plug leaks and to insure against financial losses associated with cyberattacks. Those leaks involve more than just installing anti-virus software, which too often is one or two steps behind the cyberattack community. Businesses need a three-prong strategy for effective protection against cyberattacks.
First, actively monitor networks for suspicious third-party activity. The current hacking tool of choice is a Distributed Denial of Service (“DDoS”) attack, in which hackers overload a business’s network with simultaneous queries from hundreds or thousands of sources. These attacks cannot be prevented but the damage they cause can be limited once they are detected.
Second, prepare a plan or strategy to handle an attack once it is detected. Sony realized that its early response did not treat the 2014 cyberattack as anything more than a nuisance. Distribute.IT acknowledged that its response had positive and negative aspects, but that ultimately it wasted a lot of time with a response that was more reactive than proactive.
Third, consider procuring cyber security insurance to cover the costs of financial losses associated with a successful hack. Insurance is the last bastion of protection against cyberattacks. In a worst-case scenario, cyber protection insurance can prevent a business failure by giving the business a financial lifeline to rebuild lost infrastructure and customer goodwill.