Sony is reliving the nightmare that its hacked databases gave rise to late last year, now that Wikileaks has thoughtfully published all of the leaked documents in a searchable database. Really, they are the most courteous hoodlums ever.
But anyone in corporate IT who looks at Sony and feels smug rather than there-but-for-the-grace-of-God humble could be in for an unpleasant surprise of his own. Because the truth is, all IT departments are incredibly exposed when it comes to email.
And, let’s face it, no one wants to be in Sony’s position, which currently is to have its lawyers send letters to the media asking that they not cover the story. Seriously. Sony apparently feels that its best option right now is to shame people into not talking about all the information that’s now available to anyone with an Internet connection. Sony “does not consent to your possession, review, copying, dissemination, publication, uploading, downloading, or making any use of the Stolen Information,” penned David Boies in the April 17 letter, according to a report in Bloomberg News.
Getting out in front of this sort of situation is not simply a matter of stamping out the bad things that can show up in emails, things such as racist or sexist comments, illegal discussions and bad utterances about major customers. Your company can just as well be embarrassed by the emails that are simply the mundane, everyday communications of a business. There’s nothing wrong with a team agreeing to negotiating parameters before working out a contract (“We’ve got a green light for no more than $15 million, but let’s offer $10 million and see where things go”), but the publication of those discussions — even months after the deal has been signed — could alienate partners.
With all of the sensitivity inherent in the contents of email, it’s frightening to take a close look at how stunningly insecure it is. What if someone wants to sell out? Numerous people in IT have full access. And if the messages are hosted by a third-party, the number of people who have the ability to leak the data soars. But let’s say all of those people are honest and incorruptible — you can still find yourself in trouble. All it takes is for some reasonably convincing social engineering to trick just one of those people into granting access, which is what happened with Sony.
Of course, bribery and social engineering don’t exhaust the routes into your email. Let’s say someone in your company sends out an email to a few dozen people in which sensitive issues are discussed. How many of those people will access the e-mail at home without using a VPN, so that the message can be sniffed in transit? Of those who use a VPN, how many will mindlessly include the message in their next backup, storing the backup file any old place? How many others will access the message on insecure mobile devices? Now suppose one of those mobile devices is lost. And suppose it’s lost at a trade show, where your direct rivals are lurking around every corner. Or maybe someone will decide to print out a bunch of emails to read offline on the plane. Later, bleary-eyed from the travel, he leaves the printouts at an airport coffee shop.
Embarrassments like the Sony debacle are sure to hit more companies — when an attack is as successful and highly publicized as this one was, copycat attacks are all but dictated by human nature. Before it happens to you, you really need to rethink using such an insecure mechanism for communicating and cataloguing your corporation’s most sensitive and private interactions.
Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek and eWeek. Evan can be reached at email@example.com and he can be followed at twitter.com/eschuman. Look for his column every other Tuesday.