cyber Tuesday option 3Fox Business News anchor Deirdre Bolton and host of Risk & Reward recently interviewed SDI’s Cyber Risk Communications Practice Lead Frank Cilluffo on the unfolding story of the recent security breaches at Sony Pictures and Anthem. Adapted key points from the interview are captured below.

Fox: What do you make of the hack on Sony Pictures and its effect on Sony Pictures head, Amy Pascal?

Cilluffo: I think it underscores that cybersecurity is no longer just an issue for the IT division.  The responsibilities and consequences are elevated to the boardroom and to the highest levels of a firm. To ensure that you can protect your company’s information, data, intellectual property, these are issues that CEOs and executives have to worry about now.  Failing to do so can cost a CEO their job.  And even worse, rattle shareholder and consumer confidence.

Fox: Should we be reassured or concerned that no medical information or financial details appear to have been taken in the Anthem hack?

Cilluffo:  While we don’t know the full scale and scope of the incident, we do know that Personally Identifiable Information, such as birthdays and Social Security Numbers when taken together create identity theft issues.  And the reality is that the healthcare sector has been a soft target for quite some time. They are not up to par with say the financial services industry and/or the defense industry for example. We know the scale to one extent that this has affected so many people, what we don’t know is the entire scope, and it’s worth noting that not all hacks are the same, not all hackers are the same, not all intentions are the same, not all capabilities are the same. And we don’t know exactly what’s going to unfold in the days ahead.

Fox: In the cases of Home Depot and Target, hackers received inside help, a fact that has an increasing number of companies worried about disgruntled employees and former employees assisting hackers. How big a part of the problem is this?

Cilluffo: You know the insider threat is at the very top of the list. If you have access to the systems themselves obviously that’s a step ahead of anyone trying to come in from the outside. That said, what you’re starting to see is much more in terms of insider threats being enabled by outsiders. So at the end of the day this needs to marry up the physical security, or the chief security officer, with cybersecurity, the chief information security officer, and they really do need to come together. And I would note with Anthem it is worth recognizing that they’ve clearly learned from some of the missteps and miscues from a communications perspective from some of the other high profile cases. They did come out early, they did come out competently, and clearly are trying to shape the discourse of the incident.

Fox: Anthem has acknowledged that they’ve traced this back to an outside web storage facility. It seems like everyone’s security is only as strong as their weakest link. What does this mean for companies who use outside storage in terms of security protocols?

Cilluffo: You’ve got that right, and the reality is we need to start seeing much more of what you would refer to as supply chain security, ensuring that your third party vendors are doing everything they can and should do to enhance security. There’s still a number of unknown questions, was this data, were the Social Security Numbers encrypted? I don’t know if that’s the case or if that in fact did occur; but clearly when you’re looking at third party vendors, when you’re looking at the supply chain, that is precisely what allegedly happened in the Target hack as well with an HVAC provider.


SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security expertsskilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

You can view previous blog posts on cyber risk management here.

February 17, 2015