Sony data breach shows downsides of cloud storage

Sony Pictures has recently found itself dealing with the effects of a massive security breach involving huge amounts of private data, relating to both employees and household names.

Hackers are reported to have stolen and published online the Social Security numbers of 47,000 current and former employees along with others who have links to the company including Sylvester Stallone and Judd Apatow.

The attackers also accessed Twitter accounts, defaced Sony related websites and leaked movies that have yet to be released.

In recent years more and more of our data has migrated from local storage to cloud storage. Undoubtedly this evolution has provided us with many benefits, not least of which is our ability to access our personal data across multiple devices and on the move.

Today we move seamlessly between laptops, mobiles and tablets, updating, editing and accessing without a break in service.

The problems faced

However this convenience and capability also presents organisations with challenges in keeping information secure and as we can see from data breaches there are downsides that represent a serious cause for concern.

In an effort to tighten up on systems stakeholders including regulatory bodies such as the European Commission have sought to establish standards for objectives, controls and guidelines in protecting personally identifiable information (PII).

Addressing the Issue

Businesses that use cloud storage providers to hold customer data in the cloud or those who provide data to external stakeholders should be focused on ensuring this data is stored securely.

They may very well wonder just how safe this information is and seek assurances about third parties’ system integrity.

While it is difficult for any organisation to protect against a concerted attack, attempts at strengthening data process are extremely welcome.

In July 2014 the Internal Organization for Standardization (ISO) introduced ISO 27018, a set of standards and guidelines relating to cloud storage providers.

Currently ISO 27001/27002 sets out standards relating to the protection of a business’s own data security.

This is the principle standard for information security and it is the most popular but the new guidelines (ISO 27018) will address public cloud storage providers – increasingly relevant as specialist third party providers host and manage organisations’ data.

The new standards take the controls laid out in ISO 27002 and adapt these for third party providers.

For companies undertaking the analysis of their security procedures it is recommended that the ISO 27001 Information Security Standard is considered as this looks at the main components of information security, however the more niche standards such as the ISO 27018 should be looked into if the aspect covered plays an important role in business operations.

What next for Sony?

The latest incident at Sony represents another bad data episode and follows on from a previous attack in 2011 on its PlayStation Network. That incident has resulted in the company agreeing to a $15m preliminary settlement in July of this year.

The cost of this latest breach is likely to be considerably higher with the financial cost encompassing litigation from those affected and fines imposed by regulatory authorities for any failures in internal controls.

If you would like more information regarding the ISO 27001 Information Security Management Standard or would like advice regarding a particular element then please get in contact on 01905 670 303 or by email on info@isoqsltd.com

ISO Quality Services Ltd are proud to specialise in the implementation and certification of the Internationally recognised ISO and BS EN Management Standards.

Primarily working with clients throughout the whole of the UK and Ireland, ISO Quality Services Ltd also cover Europe and the UAE.

Do you want to get ahead of your competition? Win more tenders or save time and money on reoccurring issues? Contact us today!