People have been writing for months about what could have prevented or lessened the impact the Sony hack. I’ve talked to many people in the information governance industry on this very topic. I’m a firm believer that even with proper information governance policies that were properly followed, the impact of the Sony hacks would be the same.
Of course, not everyone agrees. Lubor Ptacek asked if enterprise content management (ECM) could have prevented the hack. While his answer was not a definitive ‘Yes’, it did fall strongly on the side that it would have made a significant difference.
Lubor is a smart person so I’ve decided to visit his points in this post. Before I start going point-by-point…
You Can’t Govern Stupid
The part that blew me away is the emails. Yes, they lost of lot of personal information but the things people said in email were completely unprofessional and bordering on ridiculous. Those emails eventually cost studio chief Amy Pascal her job. I always try to keep my emails clean enough that if they were to become public life would continue. Sony executives had no such goal. I am sure that at some point they were advised about this but the advice likely went in one ear and out the other.
This is not a behavior exclusive to Sony or the entertainment industry. Most people will smile and maybe even understand this advice when it is given. Without a harsh object lesson like the one just delivered to Sony, most people do not change their behavior.
If email management practices had been in place, there would have been less email. There still would have been stupid emails that would have made the executives look bad. There might have been one or two less apologies to make but the public perception damage would have been the same.
On to the Post
Now let’s look at Lubor’s points.
- Archiving information: As I said above, stupid still happens. Many of the emails released were less than one month old.
- Removing content from employee hard drives: The hackers hit every system. If the data existed, they found it. They had all the keys and a lot of time to use them. You give me the system admin password for a network and in a day I’ll have access to everything. Employee hard drives or ECM system, it would be mine for the taking. In fact, if you put it in the ECM system, I would be able to leverage the search sub-system. The only way this would not be true is if you made things convoluted that employees wouldn’t use the systems.
- Permissions on file servers: See the previous point. If I am a system admin, All your info are belong to us.
- Security: Lubor mentions many things but the one that stands out is encryption. Encryption on the content store will prevent bots and worms from getting your information but it will not prevent intelligent hackers who use their admin access to get into the ECM system directly. While I have deployed many file encryption features for clients, I always deem them as features for the paranoid. If someone has gained accessed to the secured file store in your secure network, you are already toast.
- Audit Trail: This is slightly funny. I am a HUGE fan of auditing things in the system. I have also seen those logs sit ignored until something goes wrong. Monitoring heavily used ECM systems via the audit log is rarely done and not a default behavior in any system I have run across.
The key point is that if Sony had deployed the products of the large vendors as they are used in most environment, nothing substantial would have changed.
The Tech is Sound
Now, do not get me wrong. Managing information and all the best practices that Lubor refers to are important. They should be implemented in a systematic manner because if organization-wide security protocols are setup both physically and procedurally, then ECM and other Information Governance tools would make a difference.
The tools are good and when properly deployed they can increase productivity, reduce risk, and limit damage from internal security threats. Maybe not from system administrators but they do from the average unhappy employee.
What Would Have Helped
A well designed security infrastructure system would have helped. You always have a system administrator account that owns everything. Don’t give that account access to any business system. Create administration accounts for each system with different passwords and make sure those accounts don’t have network administration rights. This may create some extra work for system administrators but it creates a more secure world without impacting the business.
That is just one thing that would make a real difference. Not storing social security numbers in Excel is a good idea as well. Both are Security 101 concepts and not information management.
A better and more advanced approach is behavior monitoring. Tracking unusual patterns of behavior is the best way to identify hackers regardless of how they get into your system. It takes time to learn what patterns are normal and to setup alerts when strange things happen but it works.
That level of security requires a commitment to security, a commitment Sony did not seem to have.