Wednesday, December 10, 2014

Another Sad Hacking Story: What Can We Learn From Sony


Sony hacked. Data stolen. Personal lives exposed. Interested in Judd Apatow’s social security number? Blah, Blah, Blah.

“The hack and subsequent posting…illustrate the risks large companies like Sony take by amassing years of digital records on employees and customers on machines connected to the Internet. Much of the data analyzed…was stored in Microsoft Excel files without password protection.” Wall Street Journal December 5, 2014

After the hundredth major information hack, you start to become immune or may be underwhelmed by the magnitude. “So what if another 47,000 personal identities got swiped.”  “So they know the personal info of Sylvester Stallone, no big deal.” 

What can we learn from our world where there is more information than ever before,  that is more connected than ever before and as a result more vulnerable to information theft than ever before? 

So here are a few truisms about the hacking reality in these times:

1.   Security breaches will happen no matter how much effort is made to ensure they don’t.
2.   Information matters. That is why criminal groups, across the globe seek to steal as much information as possible. Its business.

3.   More businesses are being more proactive as reputations hinge upon it. Information security has become central to fiscal health. Just ask Target how impactful a serious hack can be.
4.   We will become more immune to “hacking” stories, which is, in some ways good and in some ways bad.                
a.  Good, because we are not worried that the sky is failing and organizations can focus on the real business of knowing where its data resides and can lock it down better.
b.  Bad, because ignoring the huge impact that some of these hacks create maybe portend lethargy or helplessness.
5.   Security is a process not a project.  It is a marathon, not a sprint.  It is an organizational activity that requires vigilance and persistence over time.  Getting lazy means more bad results.  From a corporate governance perspective, it is like any activity that is important enough to bake into the business processes.
6.   Smart organizations continually augment the ways they manage privacy, information security, corporate trade secrets and IP.  That is because technology changes. Actions taken by criminals change. And the problem evolves, so your response needs to continually evolve to meet the new challenge.
7.   Smart organizations take action for two reasons—one, to mitigate the risk and address the harm, and two, to insulate the company from the harm caused by the attacks that get through. In other words, the good things your organization does to prevent a hack, may be used to support your company and mitigate the downside if and when your information crowned jewels are hacked.

And that brings me to Information Nation- Seven Keys to Information Management Compliance and the importance of a process to better management which serves both purposes described in paragraph 7.  Compliance methodology can save your company and act as insurance or insulation. This is why, “A corporation can act through natural persons, and it is therefore held responsible for the acts of such persons…on the other hand in certain circumstances, it may not be appropriate to impose liability upon a corporation, particularly one with a compliance program…
U.S. Dept. of Justice”  



Here are a few simple rules to help guide you:

a.    Vigilance comes from having a process, so build it or augment the existing process.
b.    Information Management Compliance is our compliance methodology that we built on the Federal Sentencing Guidelines which is the basis for most US compliance programs. Compliance methodology demonstrates what good corporate citizens do and can act to mitigate harm or insulate all together.
c.     Good corporations need to protect their reputation now more than ever by having working security programs.
d.    Combining a compliance methodology with security initiatives is something to seriously consider. That way your security program can better confront the hacking your organization most assuredly will be confronted with, as well as mitigate the damage if and when something slips through the cracks
e.    Finally, getting your company better buttoned up and protected begins with knowing where your information lives, knowing who has access to it and coding and securing it according to its value.  


The Sony hack is another wake up call. Even though, I am not sure if Sony could have stopped the intrusion no matter what security it had in place given the complexity of the hacking. But I am sure we will have many governmental organizations seeking to answer that question.  One thing I am sure of already, is that when personal information or company secrets are amassed and not locked down, they will get exposed. It’s just a matter of how often and how much impact it will have.  When PII of Hollywood figures is replicated numerous times in the data pool, perhaps without business justification, someone should be asking why so many instances of the same information and why are they not locked down? Did Sony do anything to mitigate information security risks by keeping as little as possible for as short as possible and properly locking it up?  These questions too will be addressed in due time, which most assuredly will have further impact on Sony. But for today, purposeful vigilance with a plan is the rallying cry.  Know your information, know where it resides and lock it down. Your existence may depend on it.

Thursday, December 4, 2014

Making Peace with Too Much Information, the Holiday Season and Big Ten Football

I got a late start this year. So yesterday I sent a box request to Steel Hill, our off-site storage vendor, to get my box of holiday paraphernalia.  I celebrate Christmas, I mean Hanukah, I mean Kwanza, I mean Unique Snowflake Fest. Anyway, I wanted to get my box so I can adorn my office. And that got me thinking that if everyone in my company did what I do, we would be spending loads of unnecessary dough on storing crud. And that got me thinking about how much money we could save getting rid of crud. And that got me thinking about what crud really is? And well, that got me thinking that I forgot to wish you a happy holidays. But let me come back to that in a minute.

Shockingly, this past year we were engaged many times to deal with cleaning up the boxes of crud at off-site storage vendors for big company clients.  That is significant for a few reasons. One, because companies now understand keeping unneeded information carries with it real costs. Two, even boxes of paper have become the target to save money (given that most info costs are related to electronic stuff). Three, we have been in a nearly all-electronic business world for years now, so dealing with paper now seems odd. Four, companies seemingly forgot about the boxes, but hopefully now are getting reacquainted as they get their annual bill and are asking why store crud? Five, getting rid of boxes of paper carries with it a cost which may be higher than the annual cost to keep the boxes and that reality may impact clean-up efforts.

Oh, Happy Holidays-whatever it is that you celebrate. Be safe, healthy and live joyously.  

And all that holiday sweet talk got me thinking about New Years. And that got me thinking about chicken wings. Don’t ask. And that got me thinking about New Year’s resolutions, which by the way I’m generally not a fan of. But as the old adage goes, “do as I say, not as I do”.  So please take to heart my sincere request to: Save a Tree; Go Green; Live Simply; and Create a smaller carbon footprint. Help your company clean up its crud this year. Take on the personal drives, email system, or even the boxes of curd ready for disposition.  Tis the season to “Rightsize Your Information Footprint”.  And that means get rid of your crud.  And that got me thinking about chicken wings. And that got me thinking about what cute sweater I was going to wear to the Unique Snowflake Fest party this weekend. And because my sweater is red, that got me thinking about the Wisconsin Badgers beating Ohio State this weekend.  Jump Around!