Top Ten (Eight) Lessons To Be Learned From The 2014 Sony Hack
It’s approaching three years since the November 2014 hack against Sony Pictures Entertainment grabbed headlines and since then, stories of information theft, computers being held hostage by malware, data leaks and the like seem as though they are becoming more of a part of the everyday fabric of our digital life, not less. For this reason, it seems prudent to embrace the time honored “top ten” list tradition and provide you with ten (okay, only eight) considerations to keep in mind for the health and welfare of your digital life, whether at home or at work. Here they are, in no particular order:
1. If You Don’t Want It Leaked, Don’t Write It
Your mom was right when she said not to say anything if you have nothing nice to say. No matter what the marketing materials may say, there really is no such thing as a perfectly secure communication. Even your million-bit encrypted, billion dollar secure e-mail system is vulnerable to the Mark 1 eyeball if you forget to log out of your computer while you go to lunch. So before you put anything in writing, ask yourself what would happen if someone other than the intended recipient saw it – if the answer is “nothing good,” then don’t write it. More than one Sony executive learned this the hard way after their questionable “private” email comments were made public.
2. Sometimes The Old Ways Are Be Best
Although I don’t think vinyl sounds better (please don’t throw anything at me), analog is still sometimes better than digital. If you’re not sure about whether to put something in writing, that’s probably a good sign you shouldn’t – consider picking up the phone and making a call or, I know this is radical, walk down the hall and have a face-to-face conversation instead. Sure, your phone could be bugged or your conversation could be videotaped by a cell phone – see above as to no communication being perfectly secure – but in this day and age it’s more likely that a security breach occurs on a digital level rather than an analog level.
3. Hoarding Is Not A Good Thing
The delete button is your friend. Sometimes there are confidential or private documents that cross our desks and, depending on where you work, this could be a very common occurrence. However, that doesn’t mean that you have to keep those documents around once you’re done with them – if you don’t need them anymore, don’t just tuck them away in a corner of your hard drive to be forgotten: get rid of them (assuming you’re allowed to). One of the (many) issues revealed in the Sony hack was that Sony had employee social security numbers scattered around between hundreds of random documents. There was zero reason for this, just the regular accumulation of digital trash that people didn’t bother getting rid of after they were done.
4. Hiding In Plain Sight Doesn’t Always Work
Just because it’s digital, doesn’t mean it can’t be hidden. Much like the stereotypical warning that “password” shouldn’t be your password, you also shouldn’t label your folder containing your unencrypted passwords as “passwords.” And yes, that is exactly what at least one person at Sony did. If you have a list of passwords or something else private that you’re keeping around “just in case,” call it “Aunt Ronda’s Secret Sauce Recipe” or bury it in a folder filled with hundreds of expense reports. It’s certainly not the best solution, but if you have to keep it at least make it a little harder to find.
5. Nothing Stays Forever
Just because it’s digital, doesn’t mean it is permanent. One of the unique aspects of the Sony hack was that the hackers not only stole materials, but destroyed some materials as well. Backups are important and should always be maintained. And not just one backup, but a backup of that backup – preferably one that is offsite and not connected to the internet. Keeping all your backups in one place and connected to one another is, to be put it bluntly, a recipe for disaster in the event of a hack or intrusion. Also, if it’s so important and critical that you can’t possibly live without it, actual paper has long served the human race as a means of storing information.
6. All Or Nothing At All?
If you’re running a business and thinking about imposing policies as to how your employees use your company’s electronic resources (e.g. computers, internet, and social media), consider that if you are too lax these policies will be useless and if you are too strict the policies will either not be followed or make it impossible to work. The Goldilocks approach is probably best – recognize that there is nothing that can provide you 100% protection (see numbers one and two) and focus on imposing policies that reduce the significant risks, such as protecting against downloaded attachments or putting restrictions on the ability to install programs (or apps).
7. The Boy Scouts Still Have It Right
Fire drills are mind numbing and boring, which is exactly the point. Once you’ve done the hundredth drill of your life, it’s become so mundane that – hopefully – if it ever comes time to actually evacuate for a fire, your body and subconscious will know exactly what to do even if your active mind is in panic mode. Consider implementing something similar for what to do in the event of a data breach. Do you know how to lock down your computer? Who to call? Who to notify? How to continue operations afterwards? It is almost always better to anticipate than to react, so if you can put an “action plan” or “exit strategy” (or whatever other corporate buzzwords you want to combine) into place and drill yourself (or your employees) on the process, you’ll be better equipped to respond in the event digital disaster strikes.
8. Always Assume You’re Next
The golden rule, summing up all the previous items of advice, is to simply operate as though you are 100% certain you are going to get hacked on any given day. We wear seat belts even when we’ve never been in a serious accident because we recognize that at any given time we could be and so should be ready. The same applies to digital security – if you are diligent in living your digital life in a way where you anticipate being hacked, then it’s much more likely you’ll walk away with minimal harm than if you wait to figure out what to do until that desperate moment where you try to react to your digital life being thrown out into the public eye.
If you’re involved in a lawsuit or risk management and have any questions regarding current or potential legal issues, we would urge you to contact an attorney as soon as possible to obtain advice, guidance and representation. At Baker, Keener & Nahra, we have the experience, skill, and drive to get the best possible results for our clients, no matter the size of the case or the scope of the problem. So if we can be of any assistance to you, please contact us and let us know how we can help.