Get Ready For The Hack Attack That Drives A Big Company Out Of Business

REUTERS/StringerTwo residential buildings are demolished to make way for a new business district in Wuhan, Hubei province, December 28, 2007.

I had an interesting conversation with a person in the computer security industry a few weeks ago.

This person is absolutely convinced that 2015 will be the year that some company goes out of business because they didn't plan adequately for an attack.

Normally, I'm skeptical about these kinds of stories from companies that sell security products. They have a vested interest in making things sound as bad as possible, and there's a long history of security companies hyping up remote threats in press releases.

But this person has been in the industry a long time, and consults regularly with huge, well-known companies who are buying his products (as well as competing products that solve slightly different but related problems - there are lots of ways to attack a company's computer systems). He told me some other crazy stories I'm not allowed to recount. And he wasn't hyping his product - he didn't even want to be quoted. 

Then the Sony hack happened. There have been estimates that Sony could suffer a loss of more than $100 million - and that was before a couple of former employees sued the company.

The Sony hack is different from most past hacks on this scale because the people who got the information don't seem to be out for personal gain. Instead, they're actively trying to embarrass and perhaps even destroy the company. 

Then, a report revealed that hackers basically shut down Sheldon Adelson's casino in Las Vegas in February.

So I got back in touch with this person to ask why we suddenly seem to be at a breaking point. Here's what he told me:

• The motives of sophisticated hackers have changed from self-gain to destruction. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. Nations were generally looking for information they could use to get a military or economic edge, or to share with companies in their own countries. Criminals were generally looking to sell intellectual property to a company's competitors. They weren't really looking to destroy the company whose information they stole. Now, these sophisticated hacking techniques have started to trickle down to individuals, including "nationalistic hackers," who are less interested in financial gain, and mainly want to cause harm or seek revenge. These folks have always been around, but they're able to cause much more damage now than they were a couple years ago.
• Company officers are only now becoming aware of the threat. Boards of directors and C-level officers are most directly responsible for risk mitigation. They have traditionally been focused on other threats - competitive threats, regulatory threats, and so on. Only in the last year or so, starting around the time of the Target hack, have they become aware of how much damage a computerized attack can cause. Previously, the decision to buy more and better security equipment was left to somebody in the IT department, and they had to convince the company to take their advice. Now, this responsibility is being kicked upstairs - but it takes time to plan a response.

Interestingly, this person didn't blame big shifts in technology, like companies moving information off their premises and into data centers run by big providers ("cloud computing), or information leaking out on mobile devices like smartphones. It's simply that lower-level attackers are able to do what only the richest hackers could do a couple years ago.

It's hard to imagine Sony going out of business from this attack, but the casino attack actually shut down computes and wiped hard drives. Imagine a similarly successful attack on a bank. Or a health care provider.