If I were a Sony executive I’d be more concerned about getting punched out by Angelina Jolie for making snide email comments than offending North Korea’s fearless leader, Kim Jong-un. She looks tougher.
Of course, there’s the little matter of some 12,000 CDs filled with internal data from Sony Pictures that the so-called Guardians of Peace threatened to release — a Christmas gift from your friendly neighborhood cyber-terrorists.
But Hollywood, and its ego-fueled denizens, is not cyber-central. By now, every company, large and small, should know that neither data nor email is a whisper but rather a shout that keeps echoing. This latest breach not only reveals a massive gap in cyber security, but a lack of common sense on the part of seasoned business executives who should know better.
Therein lies the tale of data defense dysfunction.
Cyber security is easier said than done given the stealth with which recent hack attacks have been carried out and our inability to catch those responsible. But how a company conducts itself before and after an attack says a lot about them. A measured but focused response is critical to preserving the brand as well as an organization’s relationship with customers and employees.
Allow me to start with some simple advice – shut your mouth. Email is possibly one of mankind’s great inventions, along with moveable type and the microwave oven. But it is also one of the most abused and easiest to infiltrate. E-blabbing about things that are not for public consumption, like what you think of your colleagues, employees or certain actresses, is a disaster waiting to happen.
If you feel compelled to gossip like a 10-year-old girl, pick up the phone. Better yet—don’t! It’s time we recognize that privacy is an obsolete concept.
Sony seems to be the latest poster child for carelessness by not encrypting its network or even having password protected files. In fact, the hackers reportedly found a file in Sony’s system entitled “usernamesandpasswords.” Furthermore, employees were told to put passwords into simple word documents — a bad practice for any business.
To quote a favorite movie character, “stupid is as stupid does.” Or, if you’re fond of movie titles — “Dumb and Dumber.”
To make matters worse, Sony’s legal department threatened news agencies with legal action if they released sensitive employee data. If you must unleash lawyers, make sure they are closely watched and edited either by corporate communications experts inside the company or by outside crisis management firms hired to do damage control. Attorneys negotiate deals. They don’t deal with crises situations and trying to censor the press will only anger the very people whose favor Sony usually tries to court.
And remember, you may not be the only one to lawyer-up in this situation. According to experts, Sony could conceivably be the target of lawsuits for not adequately protecting consumer and employee information.
Even under the most innocent circumstances, no business should rely solely on email communications. There are times when picking up the phone or having a face-to-face meeting is essential. Email simply can’t convey emotions, intent or tone, and there is simply too great a chance for miscommunication.
Moreover, when companies tell consumers and employees that they did all they could to prevent a breach, they are starting to sound a bit disingenuous considering the fact that these attacks continue and increase in severity.
A best practice is for the industry to improve its cyber defenses. Start an internal investigation of IT systems before something happens — a pre-emptive strike if you will — and establish an ongoing program to fix potential holes in the system and make vendors aware of their own security gaps.
Solution: Limiting Access
Limiting access may include limiting employee access to the network. Employees that use their own mobile devices—smartphones or tablets—can be risky and constitute unsecured communications. In essence, the very people you’re trying to protect can be the weak links in your system. Furthermore, experts recommend that companies — especially smaller businesses — upgrade to business level security and not rely on off-the-shelf systems like Norton or McAfee to protect them.
Make the investment in data encryption technology. Tell employees they have to practice good “digital hygiene” by making sure they log out of accounts, close browser windows, and remain vigilant by changing passwords periodically.
It all boils down to trust. Once you lose it, it’s that much harder to win it back. As one industry expert noted, think of data breaches as “the product defect of the new Millennium.” Only problem, it’s not something you can recall.