By Laura Haight
Originally published as The Digital Maven column in Upstate Business Journal on Dec 18, 2015
Early on in my newspaper career, I learned a critically important lesson: Never put anything in writing that you don’t want to see in print.
Back in the day, you might have occasionally seen: “Put clever caption here” appearing under a photo in the paper or, sometimes, something far more embarrassing. The Sony hack, while having some entertaining moments, is an object lesson in a lot that is wrong with the app we love to hate: email.
LACK OF SECURITY: Email is the technology equivalent of the US-Mexico border. No matter how hard we try to secure it or how much money we throw at it, new holes open up all the time.
Although it is uncertain how long the Guardians of Peace (GOP) had been in the Sony network or how they accessed it, tech analysts suggest that an email phising scam that could have been as much as a year old was the root cause.
The security weaknesses are exacerbated by the importance email has assumed in our personal and work lives. In many ways, it’s replaced personal communications. In the workplace, we hire, fire, discipline and reward by email. We share plans, projects, and proposals.
OVERUSE: Every day, there’s a new revelation from the Sony server hack: Mark Cuban (a billionaire several times over) is ticked off about how much he was paid on Shark Tank; C-level execs are obnoxious, entitled and racist; and, oh here’s a shocker: the Academy Award winning Jennifer Lawrence was paid less than her male co-stars on American Hustle. There appears to be nothing that we wont discuss in an email.
Our relationships with employees, customers, clients, vendors and suppliers are often fragile. The fact that we conduct these relationships largely through emails does little to strengthen it.
We have trained ourselves to prefer email over personal contact. No time for a meeting? Just make that assignment over email. Too busy to take a call? Put it in an email. Collaboration? That often takes the form of getting more people involved in an email thread.
LACK OF ACCOUNTABILITY: Because of its importance, we never delete it, keeping mailboxes with terabytes of historical data on vulnerable cloud-based servers. And despite the mission-critical nature of our emails, individuals and businesses do not treat email security with the same level of importance as anything else. If any employee stole company records and handed them off to a Russian criminal enterprise, they would most likely be fired. But if they don’t follow password security policies, and the same end result occurs, they are likely held blameless. Lots of harm, no foul.
By now it should be clear to us all that technology alone cannot be counted on to police itself. Sony spent millions of dollars on security and still lost everything. Most likely because an a malware program was activated by a user/users who fell for a phising scam.
I often find myself repeating things that sound awfully basic. But before we can master the more complex opportunities and challenges that technology presents, we need to master the basics — like the five points below. And, clearly, that remains an issue.
Establish a password policy that requires strong passwords and changes every 30 days.
Train employees on phising. Most of the major hacks that make headlines were enabled because of successful phising.
Make sure you are running virus updates and malicious software (malware) removal scans. The virus updates should run daily and the malware scan should be run at least monthly, although in some industries weekly frequency wouldn’t be overdoing it. If you have a client-server network configuration running with Exchange, you can set these tasks to run in the background. If not, you may have to run them manually. Do it even if your computers appear to be running normally.
Do not allow employees to connect to work networks through unprotected personal computers. Virtual Private Network software can control this with policies. The same is true of mobile devices. Limit access to trusted devices.
No matter how small your business, have solid written and signed policies for password requirements, computer use, and email use. Treat them like any other policy: train employees on the procedures and why they matter and discipline those who violate it.
Although systems that can programmatically enforce policies like these are important, the key to security is training first, then making employees responsible and accountable for their actions. All the systems in the world can’t protect you from an authorized user. Just ask Sony.