Lessons you and your business can learn from the Sony hack

Q: One of the things I keep hearing about because of the Sony hack is encryption, but how exactly do I get it setup for my business?

There isn’t enough space in this column to cover all the lessons that can be learned from what continues to come out of the Sony Pictures massive hacking event.

The use of encryption is a big one because it can provide an excellent level of security even if cyber thieves make off with thousands of sensitive files via a compromised computer.

Anytime everyone has access to everything on a business network without any real security, hackers need only compromise one user to wreak havoc for everyone (the likely scenario in the Sony hack).

Encryption acts as another security barrier that will generally cause the hackers to move on because of the time that it will take to break the encryption.

Encryption technology is built into most operating systems. Windows has BitLocker for workstations and servers while Mac OS X has FileVault or you can use encryption programs from many third-party companies.

But before you make any decisions to start encrypting your data, you really should review all of the options, pros, cons, security and backup measures to make sure you don’t inadvertently lock yourself out of your own data. Encryption strategy needs to be thought through, so make sure you consult your IT support group before you get started.

Another simple step that Sony could have taken to protect data was to create individual passwords for sensitive data files. Just about every type of business program you use has an option to password protect the individual files. Sony had 140 clearly labeled, but unprotected, password files that contained thousands of private passwords, a hugely embarrassing technical faux pas!

First off, saving a file that has the word “password” anywhere in the name is pretty much a magnet for hackers, but storing the information in plain text with no encryption or even a file password is crazy. Remember, hackers are very good students of human behavior, so scanning all files for the word password is generally one of the first things they’ll do after a break in.

E-mail has become such a liability from a security standpoint because it’s the intrusion method of choice whenever a company is being targeted. Clever emails can get even the most tech-savvy users to fall for tricks — imagine getting a message that appears to be from your CEO announcing that the company is being acquired.

If the message included a document that “explained the acquisition process” and how it would “affect your job,” you’d probably open it without hesitation.

To help employees easily sniff out fake internal e-mail messages, I’ve been encouraging businesses to consider alternative channels such as private Intranets, instant messaging or private social networks as the primary trusted resource for internal communications.