Rethinking Email Security After the Sony Hack
The Sony Pictures hack didn’t only stop business for one company, it put IT professionals on official notice. CIOs and CTOs were likely overwhelming their staff with new task items to ensure their organizations weren’t prone to such an attack. Yet, the biggest revelation in the Sony Pictures recovery is that the emails of its executives were leaked with data that should have been secure, private and protected.
But there is a dark side to email. Email was not designed to be secure; it was designed to transmit the written word with the least amount of barriers. That accessibility makes it dangerous. Despite that knowledge, email is now an essential communication tool for just about everything: personal reminders, advertisements, newsletters, information sharing and, in some cases, sending highly sensitive information.
Security options like encryption were later added to email but when companies don't maintain or update email security, their email systems are wide open to sophisticated hackers.
Single Point of Failure
If all the email data is stored on a single server, and if that server gets hacked or compromised, then you are in deep trouble. Many employees use their inbox as a second brain. Some power users have hundreds of thousands of emails stored in one central location. This is an extremely dangerous practice that not only reduces security but exponentially increases the damage to a company if that email account is hacked – especially if that email account belongs to high-ranking people within an organization.
So what tools are available today and what precautions can you put in place to at least escape a fatal hammer blow to the system? Offloading and archiving email from the server is certainly one way to protect data.
Third-party archiving solutions are capable of classifying, encrypting and securely storing sensitive email and attachments. When combined with advanced storage media, security can be taken one step further with features such as secondary encryption and (dare I say it) offline tape storage. Users can still access, retrieve, send and search email but it will be stored elsewhere (not sitting on the email server waiting to be hacked.) Of course there is always Quantum Cryptography – the idea that a stream of light cannot be monitored without modifying it in some way. This would prevent any extraction of data (by cutting the line of light as soon as it has been touched).
One answer could be changing the protocol for email systems so they act in a similar way as messaging applications like Snapchat. This would of course limit the users to one particular system at a time but would remove some of the risk.
The New Email Etiquette
Email is still the most widely used form of communication in the world, and that is not going to change in the near future. While companies often do remind their employees to use business-like tone when they communicate, Sony's leaked emails show that such advice had fallen on deaf ears. We would never advocate that HR starts sorting or filtering emails based on potential etiquette violations but organizations might already be considering such actions to reduce legal issues.
Yet, there are practical ways to use archive tools such as Archive Manager to reduce the potential for harm. For example, IT administrators could search for subject lines with "password" or enclosed documents with "password" in its file name, remove those emails from the server and move to a more secure archive for review.
In the end, the Sony Pictures hack delivers a few lessons that every organization should learn from. For end users, organizations need to reteach email etiquette to minimize the embarrassment that Sony Pictures’ executives faced when their emails were made public. For IT administrators, it serves as a wakeup call to better secure and rigorously test their email systems from not only potential hackers but also from former employees.