The Sony PlayStation Network has now been down for 5 days after Sony shut down the system in response to an “External intrusion” late last week. Beyond that the details are still pretty sketchy, and may remain so, but the incident still carries some important lessons for Business Continuity.
The first point is to do with timing. For a leisure product such as the PlayStation, one cannot think of a worse time for a disruption than a holiday weekend. It is important therefore to factor business cyclicality such as this into your Business Impact Analysis.
Secondly, Sony is being criticised in some reports for shutting down the system pre-emptively. This seems to imply that the correct response is to try to solider on and deny that there is a problem for as long as possible. The Crisis Management literature is full of examples of companies that have taken this route and paid an extremely high price for it: whatever the specifics of this case, the likelihood is that the outcome would have been a lot worse if Sony had delayed action.
Finally, Sony is being criticised for mentioning an “External intrusion”, thereby admitting that there were security vulnerabilities in their system. At the very least they do us all a service by publicising the prevalence of this form of crime: so long as people keep covering up these problems little will be done to prevent them. Furthermore, to suggest that you are invulnerable serves to create an attitude of complacency and leaves an organisation wide open to attacks.