Last week I had the good luck to attend a long-planned roundtable discussion about the future of email and data security—and the even better luck to attend it on the very day that Sony decided to pull “The Interview” under threat from North Korean hackers.
So let’s dive into that subject, because what happened to Sony will have risk-management lessons for Corporate America for years.
The best comment of the night came early, as one guest tried to capture the frustration Corporate America feels at the hands of hackers these days. “Sony had its information stolen,” the person blurted out. “Companies need to figure out how they can get that information back.”
Everything in that sentence is wrong, which makes it so insightful. Sony had its information copied, not stolen. And there is no need for Sony to “get its information back,” because Sony never ceased to possess its information at any time. All that North Korea did was find embarrassing information about Sony and then pressure the company into canceling distribution of “The Interview.” That’s an extortion scheme, pure and simple. And the key to any extortion scheme is to find embarrassing information—which Sony had left in emails and other documents all over the place.
That may sound like semantics, but it’s crucial to understand the nature of the crime committed against Sony, and by extension, the controls and procedures a company should have in place to assure something similar doesn’t happen to you. When Target and Home Depot were hacked earlier this year, those attacks were perpetrated by thieves ultimately looking to steal goods someone else had: money in customers’ bank accounts, or products shipped to the thieves under false pretenses. At the end of those attacks, victims ended up with something they had owned no longer in their possession.
That’s not what happened to Sony at all. North Korea’s intention here was to limit how Sony could behave in the future; to curtail its strategic flexibility. Target and Home Depot lost control of what they had; Sony lost control of what it could do.
How do you inoculate a business against an attack like that?
First, train your employees in astute business practices with a fierce insistence. As corny as this sounds, the best way to avoid extortion is not to create embarrassing information in the first place—and it really does seem to be a lesson lost on much of Corporate America. For example, I suspect plenty of people in Hollywood already believe Angelina Jolie is a spoiled brat with a rampaging ego; instead of saying that outright in an email, as one mortified Sony executive did, he could have done the smart thing and simply emailed, “Give me a call, I need to tell you something about Angelina.”
An excellent counter-example is Goldman Sachs. The bank is renowned for its culture of voicemail rather than email. Yes, I know that voicemail today is stored digitally and therefore can be hacked too, and Goldman has certainly bad publicity thanks to dumb things employees have put in email—but the company knows the risks that come with the information it has, and tries to manage that risk by culture as well as by IT security protocols. And any time you’re attacking a problem by instilling a more disciplined culture, you’re acting wisely.
Back to my dinner last week to talk about the future of email and data security. The host was Mimecast, a company that manages email storage for large enterprises. (Full disclosure: Mimecast manages email storage for Compliance Week, a fact the company did not know when it invited me.) The CEO talked about how email has involved into a de facto data storage system for many companies. As such, it then becomes a target for hackers.
Compliance and audit executives will not have an easy time solving that problem. Humans have adapted to use email (and other electronic forms of communication) in all sorts of ways, and psychologically many people prefer email and text to the more pointed, sometimes uncomfortable world of person-to-person communication. But using email the way we do increases all sorts of risk: litigation, regulatory, financial, strategic risk. Good luck bending that curve into a better direction.
Make no mistake, Sony should have taken plenty of other steps to thwart North Korea as well. (For all my thoughts about email and company culture, for example, we haven’t even begun to address IT security around more structured data like intellectual property stored on a server somewhere.) We have whole books to write about the geo-strategic implications of a country declaring war on a country, and how you respond to that. We’ll get to all of those points in due course.
For now, however—human behavior is the root of most failures, and better behavior is the best hope against them. Sony demonstrates that in a very uncomfortable way.