Sony Pictures is intending to spend $15 million on security defences after the 2014 attack tore the company’s defences apart.
In its financial statement, for Q1 of 2015, Sony Pictures said that it is expected to include approximately $15 million (1.8 billion yen) in investigation and remediation costs relating to the above-mentioned cyber attack.
Chris McIntosh, CEO of ViaSat UK, said: “Sony spending $15 million on cyber security shows that it has learned, however painfully, that data is more than ever most businesses’ most valuable asset.
“However, money on its own won’t help – organisations such as Sony need to develop a clear strategy and approach to what they secure, and how they secure it. At an operational level, this means having both the right technology and the right education: the most expensive, hi tech security solution is absolutely useless if employees don’t know how to use it, or why it’s so important in the first place.”
The statement said that Sony Pictures was unable to close its financial statements for Q3 within a timeframe that would have permitted reporting of actual results for the Pictures segment as part of the announcement.
Alex Fidgen, director of MWR InfoSecurity, told IT Security Guru that throwing money at the problem will not necessarily work unless the security programme is very well structured.
He said: “Our observation is that good companies tend to achieve 50 per cent effectiveness on budget spent, because they don’t focus the budget on the right areas. It is now unrealistic to be able to protect an entire organisation against attack, but it is realistic to be able to protect key assets from attack.
“The main failure of large budget programmes is that they tend to incorrectly identify groups of controls that are incapable of protecting the assets against a set of overlooked attack type or methods.”
He claimed that Sony will see the benefit from this increased budget, as long as they have methodically linked the control groups to the correct attack types that are represented by the types of threat actors motivated to attack Sony.
In its financial statement, Sony said that as a result of the attack, sales are expected to have decreased 11.7 per cent year-on-year, and the expected significant decrease in sales on a US dollar basis is primarily due to a decrease in sales for Motion Pictures and Television Productions.
It said that the expected decrease in Motion Pictures sales is due to significantly lower home entertainment and theatrical revenues, while the expected decrease in home entertainment revenues is due to fewer major home entertainment releases in the current quarter.
It was reported last month that the costs associated with the cyber attack will be completely covered by insurance, with Sony CEO Michael Lynton not elaborating on an estimate for the costs for the entertainment arm of Sony, but he said it was “well within the bounds of insurance”.
Rik Turner, senior analyst at Ovum, said: “Of course they need to spend, if only to convince shareholders that they’re really doing something
this time around. It remains to be seen whether they are also implementing the processes and bringing in the people to truly enable greater security.”