Recognized as a Leader on Gartner Magic Quadrant for BCMP Solutions, Worldwide

Sony Hack Lesson - Sensitive Content, Get out of Email, FAST

Jan 9, 2015

Back to Veoci BlogSony Hack Lesson - Sensitive Content, Get out of Email, FAST

An article in Businessweek summed up the main vulnerability exposed in the big Sony hack of 2014: "The simplest takeaway from the debacle pertains to e-mail hygiene. 

'Apart from the gossipy stuff, which won’t matter in the long run, a lot of the sensitive information that was hacked was in e-mail or attached to e-mail'."

The Sony hack was different from previous breaches at Home Depot or Target. Losing credit card numbers and personal data of customers, while quite harmful, has remediations available. At this point, there's almost a standard response - offer freebies like identity protection services and credit rating reports - along with an entire industry and offerings to provide these services. Breaches involving customer data happen often enough that the public has pretty much come to expect them, and has also developed clear expectations of what the response will be. Not so for the Sony hack, which wasn't about stealing money from its customers, but rather about disrupting the company and exposing employees themselves, from the rank and file all the way up to the CEO. 

Stealing and disseminating Sony's internal email communications was a very personal attack, meant to hurt the people of Sony and its reputation as a whole. While most companies continuously scramble to make sure that they keep customer data secure and have plans in place to handle breaches, it seems that, like Sony, they may not have the same level of vigilance for intra-company communication and data. This begs an obvious question - did Sony have other ways in which to securely keep and distribute the sensitive information that was floating around in the company's emails?  Put

more generally, do most companies have real alternatives to email, especially when emergencies arise and communication security is critical? Over 100 billion business emails are sent and received each day, and email remains the predominant method of communication at work. Emails represent the biggest security problem companies face. 

The Trojan horses and malware that are embedded or linked from them, the ease with which they can be shared, they way in which one password gives access to someone's entire inbox (not to mention the ability to use that inbox to send malicious content) - are just some of the liabilities associated with emails. While digital security companies work hard to eliminate these threats, there is only so much that can be done when the technology can be overridden via human gullibility. This isn't to say that this is what happened at Sony, but generally speaking, all it takes is a legitimate-enough looking email, a recipient who thinks they are doing what they're supposed to be doing, and instructions to click on a malicious link, and hackers suddenly have created a nice little mouse hole into the house they want to invade. 

 Closed Communication Systems such as Veoci are one alternative to the insecure email problem. On such systems, communication is possible only between verified identities - you will never receive an email from someone or something who isn't verified and who doesn't exist on the same system. Outsiders are not allowed - external entities have no way to inject unwanted content or communications into the system, nor can they interact in any way with the system itself without authorization. It is as if you placed all information in a room with multiple locks, and nothing in that room could be removed except by those with the right combination of keys to unlock the room. 

Of course, these systems can also become targets for hackers. But here at least, the battle is more evenly fought. Security is built in to the information itself - access controls are determined before and during the creation of content, and that content is always contextualized within spheres of restriction. It simply will not exist outside the wall of the room in which it's meant to stay in. Unlike email, the data cannot be easily accessed or disseminated without execution of defined, mandatory protocols. 

 Furthermore, the companies building these systems see security as inherent to their mission. They recruit technologists who have grown up on secure coding practices and treat security issues as highest priority, taking precedence over any other activity. This culture of security is difficult to develop and most companies are working hard at it and faced with a talent shortage, many have outsourced security to consulting companies. 

Email will continue to be the most common business communication medium in the world for a while to come. Our strategy is not to replace email, but to take critical, high security content and data out of the email system; notification that something is wrong will still come through email, but the information that needs to be kept private won't. Veoci and other products in this space provide an alternative that deserves serious consideration. 

While it is unclear whether Sony had any alternative communication strategy in place other than teleconferencing, the need is quite clear; for sensitive information or in a crisis, organizations need to move  communications off of email and into closed systems where security and trust are guaranteed. As a product, while Veoci addresses the broader need for managing a crisis, including business continuity and disaster recovery, it de facto also provides a platform for secure communication. Photo credit: ABC News

Image: Michael Barera via Wikimedia Commons

Subscribe to the Veoci Blog

Receive all the latest emergency, crisis, and continuity management news, tips, and advice

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Related Posts

Why Business Continuity Planning is More Important than Ever Before

Risks today are increasingly interconnected, and the future forecasts a tighter bond will form between them. And thanks to the modern world’s web of risks, businesses and organizations can never be sure which dominoes will fall when an incident kicks off. Preparation, through business continuity planning, is essential for any entity hoping to have a lasting impact.

Continue reading
ITDR Communications: Lessons from a Middleware Bug

Anyone with the will and skill could crack the bug, which spelled serious danger for MuleSoft’s users and those users’ customers. MuleSoft needed to patch the bug immediately. And they did, all while making their customers aware of an issue that could’ve flown under the radar.

Continue reading
The “Magic” of Veoci

As the IT market is replete with contenders, it’s important for companies to stand out from the crowd - getting named by Gartner in the Magic Quadrant is a big boost.

Continue reading

Connect with us on Social Media

Join us on our journey to improve emergency, operations, and continuity management!

Veoci Facebook PageVeoci Twitter AccountVeoci Linkedin Company Page

Face crisis and continuity challenges with expert solutions designed for you and your teams.

Learn how Veoci puts you in control