Warning: Don't Become a Star in Sony's Hacker Movie

Michael Lynton, the Chairman and CEO of Sony Pictures Entertainment, takes home a cool $3 million a year in salary. So does co-chairman Amy Pascal, who also serves as the chair of Sony’s Motion Picture Group. All in all, Sony paid out over $454 million in salaries to their employees last year—and if I spent enough time poking around, I could tell you their entire payroll.How do I know all of this? Because last week, while you and I were coasting into our Thanksgiving holiday, almost every single employee of Sony Pictures Entertainment was greeted by a scene ripped straight from a Hollywood thriller: their normal Windows login screen had been replaced by a picture of a red-eyed skeleton with a message claiming “you have been hacked by the #GOP” (“Guardians of Peace,” not the dysfunctional group on Capital Hill). The message went on to say “we’ve already warned you, and this is just the beginning…we have obtained your internal data, including secrets and top secrets.”This wasn’t an idle boast, and as documents began appearing on popular sharing websites, the size and scope of the hack quickly became apparent: SPE had lost almost every sensitive piece of information stored on its network, including salary information, strategy documents, sales data, contract terms, password files, copies of unreleased films, and—most distressingly—personal details about Sony employees, including social security numbers, performance reviews, even health insurance claim appeals. The hack effectively shut down operations for several days, but the long-term effects on Sony’s business—as well as employee morale—will be harder to quantify.Early speculation on who was behind the attack ranged from North Korea (as a reprisal for Sony’s upcoming release of The Interview , a film which openly mocks the hermit kingdom) to the hacker collective known as Anonymous. More likely, however, is that this data breach is an inside job. It’s pretty hard to have terabytes of data exfiltrated from your corporate network without somebody in IT noticing a spike in traffic.Which, of course, means that this could have been you.There are probably fewer things that are more boring to read about—or write about—than information technology process and controls. However, there’s nothing more critical to your business than ensuring the safety and security of your trade secrets, including sensitive details about you and the people that work for you.Here are ten practical tips that you can implement right away to mitigate your risk of this kind of data loss:

  • Limit Access. This sounds like a no-brainer, but it’s amazing how little small to mid-sized business still don’t use the built-in administration features of their operating systems. Ensuring that your sensitive files are stored in folders that can only be accessed by privileged users is the most basic thing you can do to protect your data. That said, most novices choose to protect the folder using user-based permissions (“allow Mike and Doug to read the files in this folder”) but a better practice is to assign a group-based permission to your folders and then manage access by adding or removing users from the appropriate security groups (“this folder can be read by anybody in the ‘Executive Team’ group”). When possible, you should apply this same level of granularity to the operational systems that you use to run your business.
  • Develop a data retention policy, and make sure it is enforced. As a regulated entity, the SEC already expects financial advisors to have a data retention policy. That said, these requirements typically cover the retention of client records, not their deletion. You should have both: a policy that covers the information that you need to save, and a policy that covers records that you can dispose of. It’s easy to get complacent and just leave information lying around, but if it’s not key to your day-to-day operations, you’re better off deleting data or moving it to cold storage than to keep it active on your network. Your policy should cover all of your digital assets, including e-mail, spreadsheets, presentations, documents, and the like. If in doubt, archive it—you can always retrieve it for an audit later. Remember, a hacker can’t steal what you don’t leave lying around. Move your files off of your operational systems as soon as you no longer need regular access to them.
  • Frequently review your systems access. When most people join an organization, they’re given credentials to access systems and information that they need to perform their jobs. More likely than not, this access is never taken away. Bob started in the back office, but now he’s in Sales. Does he still need access to your custodian’s account servicing platform? You should develop a policy that regularly reviews systems access and security group memberships, and removes anything that isn’t necessary for an employee to do their job—including your CEO. Dormant or unused accounts are a prime vector for attackers to burrow deep into your network.
  • Immediately disable the accounts of your terminated employees. This is another no-brainer, but experience has taught me that this is another area of weakness for RIAs. Once you let an employee go—even if it’s on friendly terms—protect your digital assets by immediately disabling or suspending their systems access. This includes their network credentials (ie: their Windows or OS X logins), the credentials they use to access any back- and front-office systems that are in use in your office, VPN accounts, accounts at your cloud or custodial providers, etc. Since you’ve already created a policy that reviews and monitors systems access, this shouldn’t be too difficult.
  • Make generous use of encryption. Most modern operating systems allow you to physically protect your data using full-disk encryption. Make use of it. While full-disk encryption won’t necessarily prevent a network intruder from stealing your data, it will make it virtually impossible for somebody who steals one of your devices—like a laptop—from pulling it off of a disk drive. Another option is to individually encrypt your most sensitive files, but this solution isn’t generally practical in a dynamic business setting and the tools that allow for easy locking and unlocking don’t exactly scream “client experience.”
  • Protect your passwords. I’ve written at length on this topic, but you should try and ensure that your employees use strong and unique passwords for every system that they have access to. Password management software like 1Password can help your users cope with this policy, as can the use of one-time password services or biometric devices like Apple’s TouchID. Keep in mind that there might be completely legitimate reasons for employees to share passwords (as this poignant article from the New York Times demonstrates), although these reasons should be strictly limited to mitigating risk, not creating conveniences. In any case, if you are going to store passwords in some type of container, make sure it’s encrypted. Better yet, avoid systems or workflows that rely on the sharing of credentials for any reason.
  • Avoid centralization. This one is a bit trickier, especially for smaller businesses. In a nutshell, you want to try and ensure that you’ve got more than one person administrating your systems, and that these folks are regularly auditing each other for policy compliance. These employees literally have the keys to the kingdom. Make sure they’re keeping them safe.
  • Regularly implement and audit your processes and controls. This bears repeating, even if I’ve already said it a few times. Your controls are only as strong as your willingness to apply them: they should be documented, available for review, and regularly exercised. It’s no sense to have a data retention policy if you’re never enforcing it, or a group security policy when you’re not regularly auditing the memberships of your security groups. Make your IT processes a central and regular
  • Consider using Apple’s operating systems . I’m sure I’ll get flack for this one, but Apple’s devices simply have a much better track record of protecting user data (in fact, the one group spared in the Sony Pictures Entertainment hack were the folks in marketing, who largely use Apple’s machines). The main reason for this, of course, is that Apple’s market share for desktop computers simply makes it an unappealing target for hackers. However, Apple’s systems are also built on top of Unix, an advanced operating system that features security and network protection mechanisms as part of its fundamental architecture. And, with the release of iOS 8, Apple now automatically encrypts every piece of data on your iPhone and iPad devices.
  • Air-gap your important data. This one might be considered overkill, but if your data is really sensitive, don’t store it on your network at all. Encrypt it and store it on removable media, or put it on a machine that has no network access. Convenient? Hardly. Safe? Well, as my mother used to say, you can’t take a cookie that isn’t there (my mother was great at hiding sweets, I was generally pretty good at finding them). Additionally, your archives and retained data should be stored cold (meaning, keep it offline and off of powered-on systems) and shipped off site. You can always retrieve it when you need to.
  • Establishing and maintaining solid information technology practices and controls aren’t sexy, but neither are these headlines . By developing a few good habits, you can minimize the risks of exposing you, your clients, and your employees to a very bad day.