POSTED JAN 16, 2015 11:45 AM CST

BY MARTHA NEIL

Image from Shutterstock

After a stunning attack late last year by hackers who stole and publicly released a wide array of confidential Sony Pictures documents, business executives are rethinking their approach to confidential information.

Many are now urging employees not to use email for confidential conversations and rely on in-person and telephone communications instead, reports Bloomberg.

Company leaders may also want to revise their email preservation policies, says partner David Zetoony of Bryan Cave, who heads the law firm’s data privacy and security practice. He is urging clients to store email only 30 days, and to limit workers’ ability to save email on their computer hard drives.

“If you don’t have information in your system, it can’t be taken,” he tells the news agency.

However, executives need to consult their accountants and lawyers to be sure their document-retention policies are in compliance with legal requirements, chairman Chuck Mathews of WGM Associates tells the Phoenix Business Journal. In addition to shortening retention periods and enhancing document-storage safeguards, companies may also want to make sure they have appropriate cyber liability coverage, Matthews’ security and information consulting company is advising clients.

The sophisticated attack on Sony, which the FBI now attributes to the North Korean government, would likely have defeated almost any company’s defenses, wrote Bruce Schneier, a security expert affiliated with Harvard Law School, in a Wall Street Journal (sub. req.) op-ed article. But better preventative measures could have lessened its impact.

“Sony would have fared much better if its executives simply hadn’t made racist jokes about Mr. Obama or insulted its stars—or if their response systems had been agile enough to kick the hackers out before they grabbed everything,” he wrote.

Key lessons from the attack on Sony include the need for companies to actively monitor their systems for evidence of any security breach, chief security strategist Richard Bejtlich of FireEye tells CBS News.

Every business owner should ask three questions of the company’s security team, he said:

“First, what sorts of bad things have happened on our network in the last year? The second question is, how long did it take for use to detect it and how long did it take for us to deal with it? The third question you should ask is, are we a member of an organization called Forum for Incident Response and Security Teams?”

See also:

ABAJournal.com: “Sony Pictures cancels ‘Interview’ movie release, cites ‘unprecedented criminal assault’ by hackers”

CBS News: “Sony Pictures email hack causing ‘big trouble,’ may lead to big change”

 
 

We welcome your comments, but please adhere to our comment policyFlag comment for moderator.

Comments

Comment on this article

  • keepinon said:

    Why “store email only 30 days” rather than store the emails on a flash drive, or some other medium that is not connected to the internet? Wouldn’t that also safeguard the information from hackers, while providing the sort of archive that might be desired?

    Posted: Jan 16, 2015 12:37 pm CST
    Reply to this comment

    • W.R.T. said:

      keepinon,

      I think you have grossly underestimated the magnitude of the security problem. 

      Even in small organizations the email is stored on servers which are closely controlled by the system administrators. A mail server that is not attached to the internet is just a boat anchor. Even backup servers must connect to the network to collect the data to be archived.

      Storing email on removable media would place that control in the hands of individual employees. Security would depend upon every employee rigorously following company protocols for using and storing such media. The potential for unintentional loss or intentional abuse would be enormous.

      This response on the part of Sony and others is simply the recognition of a simple fact. If you want to keep a secret do not write it down.