Sony Hack Lesson - Sensitive Content, Get out of Email, FAST

Jan 9, 2015

Back to Veoci BlogSony Hack Lesson - Sensitive Content, Get out of Email, FAST

An article in Businessweek summed up the main vulnerability exposed in the big Sony hack of 2014: "The simplest takeaway from the debacle pertains to e-mail hygiene. 

'Apart from the gossipy stuff, which won’t matter in the long run, a lot of the sensitive information that was hacked was in e-mail or attached to e-mail'."

The Sony hack was different from previous breaches at Home Depot or Target. Losing credit card numbers and personal data of customers, while quite harmful, has remediations available. At this point, there's almost a standard response - offer freebies like identity protection services and credit rating reports - along with an entire industry and offerings to provide these services. Breaches involving customer data happen often enough that the public has pretty much come to expect them, and has also developed clear expectations of what the response will be. Not so for the Sony hack, which wasn't about stealing money from its customers, but rather about disrupting the company and exposing employees themselves, from the rank and file all the way up to the CEO. 

Stealing and disseminating Sony's internal email communications was a very personal attack, meant to hurt the people of Sony and its reputation as a whole. While most companies continuously scramble to make sure that they keep customer data secure and have plans in place to handle breaches, it seems that, like Sony, they may not have the same level of vigilance for intra-company communication and data. This begs an obvious question - did Sony have other ways in which to securely keep and distribute the sensitive information that was floating around in the company's emails?  Put

more generally, do most companies have real alternatives to email, especially when emergencies arise and communication security is critical? Over 100 billion business emails are sent and received each day, and email remains the predominant method of communication at work. Emails represent the biggest security problem companies face. 

The Trojan horses and malware that are embedded or linked from them, the ease with which they can be shared, they way in which one password gives access to someone's entire inbox (not to mention the ability to use that inbox to send malicious content) - are just some of the liabilities associated with emails. While digital security companies work hard to eliminate these threats, there is only so much that can be done when the technology can be overridden via human gullibility. This isn't to say that this is what happened at Sony, but generally speaking, all it takes is a legitimate-enough looking email, a recipient who thinks they are doing what they're supposed to be doing, and instructions to click on a malicious link, and hackers suddenly have created a nice little mouse hole into the house they want to invade. 

 Closed Communication Systems such as Veoci are one alternative to the insecure email problem. On such systems, communication is possible only between verified identities - you will never receive an email from someone or something who isn't verified and who doesn't exist on the same system. Outsiders are not allowed - external entities have no way to inject unwanted content or communications into the system, nor can they interact in any way with the system itself without authorization. It is as if you placed all information in a room with multiple locks, and nothing in that room could be removed except by those with the right combination of keys to unlock the room. 

Of course, these systems can also become targets for hackers. But here at least, the battle is more evenly fought. Security is built in to the information itself - access controls are determined before and during the creation of content, and that content is always contextualized within spheres of restriction. It simply will not exist outside the wall of the room in which it's meant to stay in. Unlike email, the data cannot be easily accessed or disseminated without execution of defined, mandatory protocols. 

 Furthermore, the companies building these systems see security as inherent to their mission. They recruit technologists who have grown up on secure coding practices and treat security issues as highest priority, taking precedence over any other activity. This culture of security is difficult to develop and most companies are working hard at it and faced with a talent shortage, many have outsourced security to consulting companies. 

Email will continue to be the most common business communication medium in the world for a while to come. Our strategy is not to replace email, but to take critical, high security content and data out of the email system; notification that something is wrong will still come through email, but the information that needs to be kept private won't. Veoci and other products in this space provide an alternative that deserves serious consideration. 

While it is unclear whether Sony had any alternative communication strategy in place other than teleconferencing, the need is quite clear; for sensitive information or in a crisis, organizations need to move  communications off of email and into closed systems where security and trust are guaranteed. As a product, while Veoci addresses the broader need for managing a crisis, including business continuity and disaster recovery, it de facto also provides a platform for secure communication. Photo credit: ABC News

Subscribe to the Veoci Blog

Receive all the latest emergency, crisis, and continuity management news, tips, and advice

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Related Posts

Getting the Most Out of Real-World Exercises

Exercising a BCP is rarely as simple as the online guides suggest. A business continuity manager has to jump through a lot of hoops to get that final, show-ready polish on a BCP. They’re often chasing buy-in from each corner of the organization and bugging business unit leads and department managers to test BCPs and record the outcomes. What can a business continuity manager do to encourage the heads in their organizations to actively participate and do their part in preparing for disruptions?

Continue reading
How IT Outages Affect Businesses: Recognizing and Preventing Outages

How much damage can a business system outage cause? As is pretty clear these days, they happen often, and can have serious impact. Take, for example, Visa’s payment network outage. On June 1st, 2018, Visa’s payment system in Europe went down for nearly ten hours, halting many personal and bank transactions. The massive, complex nature of the system made it difficult to pinpoint the root cause of the outage, adding hours of downtime and many degrees of frustration for the company’s customers. After performing their root cause analysis, the company identified a “very rare partial failure” of a switch in one of their data centers as the cause of the outage.

Continue reading
Top 5 Takeaways from DRI 2019

If there was one very clear theme to this year’s DRI conference in Las Vegas, it was the importance of having a diverse community in the world of business continuity management (BCM). From the sessions to the talking points in the exhibit hall, it’s clear that the future of BCM depends on having a strong and diverse community of practitioners and leaders. Here’s our top 5 takeaways from DRI 2019.

Continue reading

Connect with us on Social Media

Join us on our journey to improve emergency, operations, and continuity management!

Veoci Facebook PageVeoci Twitter AccountVeoci Linkedin Company Page

Face crisis and continuity challenges with expert solutions designed for you and your teams.

Learn how Veoci puts you in control