In late November, a large amount of internal documents and spreadsheets containing information on Sony Pictures’ employees and senior executives was leaked to the public. While a flurry of stories and rumors continue to be published, there are several key takeaways for law firms.
As a former IT Specialist for the United States Navy and a Certified Ethical Hacker, these sort of situations are unsurprising to me. But as these events continue to hit closer to home for a lot of folks, security must be considered a priority for any business.
Establish email etiquette & use encryption
On December 8th, the email archives of the president of Sony Pictures Television and Co-Chairman of Sony Pictures Entertainment were leaked. A quick Google search will net you plenty of opinion pieces and allow you to read everything that was said. In the end, some very not nice things were said about some high profile actors and the world found out about it.
This is comparable to bad-mouthing a client and then having someone paste it all over the internet. No one wants to be talked about behind their backs. The obvious lesson here is, do not write something in an email if you wouldn’t want it made public.
In the legal industry, however, this isn’t always possible. Firms often have sensitive information to convey and sometimes email is the most efficient way to communicate. If this is the case, turning on your email encryption is an absolute necessity.
Now according to some reports, it appears that encryption was actually used at Sony Pictures; however, three encryption certificates had used the password, “password,” which is pretty much the worst password in history. If you want privacy, use encryption with a strong password. If you are not going to turn on encryption, expect someone to intercept your email.
Secure your passwords like you would a secure an important key
Let’s face it, most of us have a folder somewhere on our computer, phone, even a shared drive that has a list of all our passwords. Some of us have named it something boring or non-descriptive, but we all have a list somewhere. The following picture is a screen shoot of the system of the IT director at SONY Pictures:
This is an excellent example of how NOT to save your passwords. Storing confidential data on your computer systems has always been a risk. The ease and anonymity at which a hacker can gain access and steal digital information has dramatically increased over the years. The internet ensures we are now all constantly connected. So how do we mitigate this risk we all seem to be in?
In short, treat your passwords and password files like you would a key to a treasure box. Instead of keeping your passwords under your keyboard, generate a “Master Password List,” and keep it in a manila folder inside a fireproof safe. If you forget any important passwords, you now have secure physical access, remember the key here is to remove the ability to steal your information via computer systems. Never, never ever keep your master passwords on a digital device, this includes your phone.
In the case of Sony’s hilarious password management system, where there are thousands of passwords to manage, consider using password management software. There are many out there, and some are built to actually steal your passwords, so do your research and ask your IT department if they can recommend any software that will help. Just remember, do not keep the master password to that software on any systems, keep it in physical form in a hard to reach place.
Consider cybercrime insurance & a disaster recovery plan
On December 16th, Sony Pictures activated their “cybercrime” insurance that provided them with 65 million dollars in coverage. While this may seem like a hefty chunk of change, we know that Sony Pictures is well in the hole for over 100 million, and the lawsuits are quickly rolling in adding more to that number.
Having cybercrime insurance was a great decision on Sony’s part. But what about the disaster recovery plan? With technology today, you can burn down your business, and with one phone call, have every piece of your system virtualized and running in the cloud while you rebuild. Technology is advancing so rapidly, yet, not many businesses are utilizing the disaster recovery plans that can be put in place.
One of the lessons I learned from my time in the US NAVY has been that you must ALWAYS be prepared for a disaster. The military is built on the idea of disaster recovery. If a ship was to go down, how would we move forward, protect our other assets, and still be attack-ready?
One of the recommendations I give to all my security-conscious clients is to review their Disaster Recovery Plan annually. Creating a checklist for the different disasters that may happen is the single best advice I have to give. When crisis hits the proverbial fan and you need to act now, chances are your brain is going to shut down and enter a fight or flight mode. Having a checklist in place to deal with any disaster will ensure downtime stays low and profits stay high.