Sony hacked. Data stolen. Personal lives exposed. Interested in Judd Apatow’s social security number? Blah, Blah, Blah.
“The hack and subsequent posting…illustrate the risks large companies like Sony take by amassing years of digital records on employees and customers on machines connected to the Internet. Much of the data analyzed…was stored in Microsoft Excel files without password protection.” Wall Street Journal December 5, 2014
After the hundredth major information hack, you start to become immune or may be underwhelmed by the magnitude. “So what if another 47,000 personal identities got swiped.” “So they know the personal info of Sylvester Stallone, no big deal.”
What can we learn from our world where there is more information than ever before, that is more connected than ever before and as a result more vulnerable to information theft than ever before?
So here are a few truisms about the hacking reality in these times:
1. Security breaches will happen no matter how much effort is made to ensure they don’t.
2. Information matters. That is why criminal groups, across the globe seek to steal as much information as possible. Its business.
3. More businesses are being more proactive as reputations hinge upon it. Information security has become central to fiscal health. Just ask Target how impactful a serious hack can be.
4. We will become more immune to “hacking” stories, which is, in some ways good and in some ways bad.
a. Good, because we are not worried that the sky is failing and organizations can focus on the real business of knowing where its data resides and can lock it down better.
b. Bad, because ignoring the huge impact that some of these hacks create maybe portend lethargy or helplessness.
5. Security is a process not a project. It is a marathon, not a sprint. It is an organizational activity that requires vigilance and persistence over time. Getting lazy means more bad results. From a corporate governance perspective, it is like any activity that is important enough to bake into the business processes.
6. Smart organizations continually augment the ways they manage privacy, information security, corporate trade secrets and IP. That is because technology changes. Actions taken by criminals change. And the problem evolves, so your response needs to continually evolve to meet the new challenge.
7. Smart organizations take action for two reasons—one, to mitigate the risk and address the harm, and two, to insulate the company from the harm caused by the attacks that get through. In other words, the good things your organization does to prevent a hack, may be used to support your company and mitigate the downside if and when your information crowned jewels are hacked.
And that brings me to Information Nation- Seven Keys to Information Management Compliance and the importance of a process to better management which serves both purposes described in paragraph 7. Compliance methodology can save your company and act as insurance or insulation. This is why, “A corporation can act through natural persons, and it is therefore held responsible for the acts of such persons…on the other hand in certain circumstances, it may not be appropriate to impose liability upon a corporation, particularly one with a compliance program…
U.S. Dept. of Justice”
Here are a few simple rules to help guide you:
a. Vigilance comes from having a process, so build it or augment the existing process.
b. Information Management Compliance is our compliance methodology that we built on the Federal Sentencing Guidelines which is the basis for most US compliance programs. Compliance methodology demonstrates what good corporate citizens do and can act to mitigate harm or insulate all together.
c. Good corporations need to protect their reputation now more than ever by having working security programs.
d. Combining a compliance methodology with security initiatives is something to seriously consider. That way your security program can better confront the hacking your organization most assuredly will be confronted with, as well as mitigate the damage if and when something slips through the cracks
e. Finally, getting your company better buttoned up and protected begins with knowing where your information lives, knowing who has access to it and coding and securing it according to its value.
The Sony hack is another wake up call. Even though, I am not sure if Sony could have stopped the intrusion no matter what security it had in place given the complexity of the hacking. But I am sure we will have many governmental organizations seeking to answer that question. One thing I am sure of already, is that when personal information or company secrets are amassed and not locked down, they will get exposed. It’s just a matter of how often and how much impact it will have. When PII of Hollywood figures is replicated numerous times in the data pool, perhaps without business justification, someone should be asking why so many instances of the same information and why are they not locked down? Did Sony do anything to mitigate information security risks by keeping as little as possible for as short as possible and properly locking it up? These questions too will be addressed in due time, which most assuredly will have further impact on Sony. But for today, purposeful vigilance with a plan is the rallying cry. Know your information, know where it resides and lock it down. Your existence may depend on it.