Business Continuity

Sony Hack Lesson – Sensitive Content, Get out of Email, FAST

An article in Businessweek summed up the main vulnerability exposed in the big Sony hack of 2014: “The simplest takeaway from the debacle pertains to e-mail hygiene.

‘Apart from the gossipy stuff, which won’t matter in the long run, a lot of the sensitive information that was hacked was in e-mail or attached to e-mail’.”

The Sony hack was different from previous breaches at Home Depot or Target. Losing credit card numbers and personal data of customers, while quite harmful, has remediations available. At this point, there’s almost a standard response – offer freebies like identity protection services and credit rating reports – along with an entire industry and offerings to provide these services. Breaches involving customer data happen often enough that the public has pretty much come to expect them, and has also developed clear expectations of what the response will be.

Not so for the Sony hack, which wasn’t about stealing money from its customers, but rather about disrupting the company and exposing employees themselves, from the rank and file all the way up to the CEO.

Stealing and disseminating Sony’s internal email communications was a very personal attack, meant to hurt the people of Sony and its reputation as a whole. While most companies continuously scramble to make sure that they keep customer data secure and have plans in place to handle breaches, it seems that, like Sony, they may not have the same level of vigilance for intra-company communication and data.

This begs an obvious question – did Sony have other ways in which to securely keep and distribute the sensitive information that was floating around in the company’s emails?  Put

more generally, do most companies have real alternatives to email, especially when emergencies arise and communication security is critical?

Over 100 billion business emails are sent and received each day, and email remains the predominant method of communication at work. Emails represent the biggest security problem companies face.

The Trojan horses and malware that are embedded or linked from them, the ease with which they can be shared, they way in which one password gives access to someone’s entire inbox (not to mention the ability to use that inbox to send malicious content) – are just some of the liabilities associated with emails.

While digital security companies work hard to eliminate these threats, there is only so much that can be done when the technology can be overridden via human gullibility. This isn’t to say that this is what happened at Sony, but generally speaking, all it takes is a legitimate-enough looking email, a recipient who thinks they are doing what they’re supposed to be doing, and instructions to click on a malicious link, and hackers suddenly have created a nice little mouse hole into the house they want to invade.

Closed Communication Systems such as Veoci are one alternative to the insecure email problem. On such systems, communication is possible only between verified identities – you will never receive an email from someone or something who isn’t verified and who doesn’t exist on the same system. Outsiders are not allowed – external entities have no way to inject unwanted content or communications into the system, nor can they interact in any way with the system itself without authorization. It is as if you placed all information in a room with multiple locks, and nothing in that room could be removed except by those with the right combination of keys to unlock the room.

Of course, these systems can also become targets for hackers. But here at least, the battle is more evenly fought. Security is built in to the information itself – access controls are determined before and during the creation of content, and that content is always contextualized within spheres of restriction. It simply will not exist outside the wall of the room in which it’s meant to stay in. Unlike email, the data cannot be easily accessed or disseminated without execution of defined, mandatory protocols.

Furthermore, the companies building these systems see security as inherent to their mission. They recruit technologists who have grown up on secure coding practices and treat security issues as highest priority, taking precedence over any other activity. This culture of security is difficult to develop and most companies are working hard at it and faced with a talent shortage, many have outsourced security to consulting companies.

Email will continue to be the most common business communication medium in the world for a while to come. Our strategy is not to replace email, but to take critical, high security content and data out of the email system; notification that something is wrong will still come through email, but the information that needs to be kept private won’t. Veoci and other products in this space provide an alternative that deserves serious consideration.

As a product, while Veoci addresses the broader need for managing a crisis, including business continuity and disaster recovery, it de facto also provides a platform for secure communication.

Photo credit: ABC News

Terms       Privacy      Sitemap

© 2011 - 2023 Veoci Inc. All Rights Reserved. Veoci is a registered trademark of Veoci Inc.