“Als je geen gevoelige informatie opslaat, kan die ook niet gestolen worden.” De nieuwe strategie van Sony na de geruchtmakende hack is: laat je personeel onderling zoveel mogelijk direct contact hebben. Bel je collega op, loop langs zijn/haar bureau. Niet alles hoeft een digitaal spoor na te laten.
Pick up the phone.
“If employees have something sensitive to discuss, they should pick up the phone or walk over to a colleague’s desk to talk,” Wilderotter said. Among the practices she wants workers retrained to follow: deleting e-mails frequently, changing passwords every 30 to 45 days, and “never putting in an e-mail anything you wouldn’t mind everyone reading on the Internet.”
Companies such as Frontier, the Stamford, Connecticut-based provider of phone and data services, are tightening security policies as the damage mounts from the hacking attack on Sony’s computers in November. The reckoning is pushing more U.S. workers to go old-school, reverting to phone calls and face-to-face-meetings. It’s also stoking a sense of self-discipline.
“I try to act as if my mom were watching me,” said Eli Romero, a 33-year-old banker at World Business Lenders LLC, who lives in New York. He’s keeping his work e-mails short and only discussing confidential information about a client in person.
“The Sony hacking makes me think twice about doing anything on an Internet connection.”
While corporations have long dealt with hackers going after customers’ financial data and trade secrets, the breach at Sony’s Culver City, California-based entertainment unit went much further. Leaked e-mails revealed executive pay, medical records, unflattering comments about Hollywood stars, and even racially insensitive remarks about President Barack Obama. The hack, which the FBI says bears hallmarks of North Korea, is presumed retaliation for the political comedy “The Interview.”
“It really is an eye-opener” for corporate IT executives, said Matt Zabloski, managing director of Delbrook Capital Advisors Inc. in Vancouver, which runs two hedge funds.
“They’ve got to figure out a better way to do this or they’re going to lose credibility with the public or place themselves in an awfully embarrassing position.”
Zabloski hands each new hire at Delbrook an extensive procedure manual and warns them that leaked e-mails, even if the content they contain seems unimportant, can backfire.
“Taking that e-mail out of context, as often happens, will shine a negative light on us,” he said.
“Once that send button is hit, it’s permanent record. Sensitive data is best dealt with in person or on the telephone.”
The challenge for companies is limiting the damage of potential hacks without restricting necessary communication or encouraging other habits that may be even more dangerous.
“You don’t want so many restrictions that employees move their corporate e-mails to their personal e-mail accounts, which are even more vulnerable,” Frontier’s Wilderotter said. “If you stymie communication and overreach, you can create worse consequences.”
Doing nothing isn’t an option either. Many corporate clients of Mike Denning, who heads global security at Verizon Enterprise Solutions, are increasing training about what can and can’t be published in e-mails and some are requiring that information only be shared on a need-to-know basis.
“This is becoming a board-level issue; it’s becoming a CEO-level issue,” Denning said, who is based in the Washington suburbs.
“They’re saying: ‘Could what I just read about also happen to us?’”
Even companies specializing in computer security aren’t immune from the threat. Hackers took $65,000 from the online checking account of Berkeley Varitronics Systems Inc., a cybersecurity firm in Metuchen, New Jersey, that already required complicated and frequently changing passwords.
After the theft, Chief Executive Officer Scott Schober installed new security cameras and hired people to search the “dark Web” to see if his name or company name showed up in hacker-chat forums. The Sony attack only furthered his resolve to depend more on face-to-face conversations instead of e-mail. Just last week, he told an employee: “Some of this I’d rather just talk to you about -- I wouldn’t put this in an e-mail.’”
“The irony is that our business is focused on protecting companies,” Schober said in an interview.
“It just goes to show everybody is now a target.”
Protecting data can be tricky in an age when greater access to information is encouraged. Cletis Earle, chief information officer for St. Luke’s Cornwall Hospital in Newburgh, New York, said that as federal regulations have required greater patient access to medical records, he’s urged employees to be discerning with the data shared and not transmit unnecessary personal information. He’s also urged workers to reduce the content in their e-mails to make the hospital’s network less of a target for hackers.
That tension -- between the need for information to flow and the need for security -- shows how hackers can stifle free speech, said Thibaut de Lavergnolle, who runs a small cosmetics company in New York. It’s a sensitive topic for him, especially in the wake of last week’s terror attack against the Charlie Hebdo satire magazine in his native France.
“We could all be Sony,” said de Lavergnolle, who was standing under a giant American flag at Grand Central Terminal. While he still uses e-mail, he said he’s reminded of an expression from back home:
“To live happy, you have to live hidden.”
The best protection may simply be to not store messages, said David Zetoony, a partner and head of the Data Privacy and Security Group at the law firm Bryan Cave LLP in Washington. Following his advice, some clients are limiting storage of e-mails to 30 days and others are turning off employees’ ability to save e-mails on folders or on their computer desktops.
“If you don’t have information in your system, it can’t be taken,” said Zetoony, who says dozens of executives have called him for advice since the Sony hack.
That increased popularity is one of the few bright spots for experts like Denning, the Verizon security executive.
“No one used to want to talk to me at cocktail parties” before the Sony hack, Denning said.
“Now everybody wants to talk to me.”