People have been writing for months about what could have prevented or lessened the impact the Sony hack. I’ve talked to many people in the information governance industry on this very topic. I’m a firm believer that even with proper information governance policies that were properly followed, the impact of the Sony hacks would be the same.
Of course, not everyone agrees. Lubor Ptacek asked if enterprise content management (ECM) could have prevented the hack. While his answer was not a definitive ‘Yes’, it did fall strongly on the side that it would have made a significant difference.
Lubor is a smart person so I’ve decided to visit his points in this post. Before I start going point-by-point…
You Can’t Govern Stupid
The part that blew me away is the emails. Yes, they lost of lot of personal information but the things people said in email were completely unprofessional and bordering on ridiculous. Those emails eventually cost studio chief Amy Pascal her job. I always try to keep my emails clean enough that if they were to become public life would continue. Sony executives had no such goal. I am sure that at some point they were advised about this but the advice likely went in one ear and out the other.
This is not a behavior exclusive to Sony or the entertainment industry. Most people will smile and maybe even understand this advice when it is given. Without a harsh object lesson like the one just delivered to Sony, most people do not change their behavior.
If email management practices had been in place, there would have been less email. There still would have been stupid emails that would have made the executives look bad. There might have been one or two less apologies to make but the public perception damage would have been the same.
On to the Post
Now let’s look at Lubor’s points.
- Archiving information: As I said above, stupid still happens. Many of the emails released were less than one month old.
- Removing content from employee hard drives: The hackers hit every system. If the data existed, they found it. They had all the keys and a lot of time to use them. You give me the system admin password for a network and in a day I’ll have access to everything. Employee hard drives or ECM system, it would be mine for the taking. In fact, if you put it in the ECM system, I would be able to leverage the search sub-system. The only way this would not be true is if you made things convoluted that employees wouldn’t use the systems.
- Permissions on file servers: See the previous point. If I am a system admin, All your info are belong to us.
- Security: Lubor mentions many things but the one that stands out is encryption. Encryption on the content store will prevent bots and worms from getting your information but it will not prevent intelligent hackers who use their admin access to get into the ECM system directly. While I have deployed many file encryption features for clients, I always deem them as features for the paranoid. If someone has gained accessed to the secured file store in your secure network, you are already toast.
- Audit Trail: This is slightly funny. I am a HUGE fan of auditing things in the system. I have also seen those logs sit ignored until something goes wrong. Monitoring heavily used ECM systems via the audit log is rarely done and not a default behavior in any system I have run across.
The key point is that if Sony had deployed the products of the large vendors as they are used in most environment, nothing substantial would have changed.
The Tech is Sound
Now, do not get me wrong. Managing information and all the best practices that Lubor refers to are important. They should be implemented in a systematic manner because if organization-wide security protocols are setup both physically and procedurally, then ECM and other Information Governance tools would make a difference.
The tools are good and when properly deployed they can increase productivity, reduce risk, and limit damage from internal security threats. Maybe not from system administrators but they do from the average unhappy employee.
What Would Have Helped
A well designed security infrastructure system would have helped. You always have a system administrator account that owns everything. Don’t give that account access to any business system. Create administration accounts for each system with different passwords and make sure those accounts don’t have network administration rights. This may create some extra work for system administrators but it creates a more secure world without impacting the business.
That is just one thing that would make a real difference. Not storing social security numbers in Excel is a good idea as well. Both are Security 101 concepts and not information management.
A better and more advanced approach is behavior monitoring. Tracking unusual patterns of behavior is the best way to identify hackers regardless of how they get into your system. It takes time to learn what patterns are normal and to setup alerts when strange things happen but it works.
That level of security requires a commitment to security, a commitment Sony did not seem to have.
9 thoughts on “Sony, Information Governance, and the Quest for Relevancy”
Hi I agree with your first point that you can’t govern stupid. However i don’t feel that it was stupidity that led to the content and tone of the emails but more as a result of the culture of the organisation and lack of professional and moral leadership from senior management.
The emails clearly demonstrate it was ok / common culture / encouraged even in sony to openly criticise each other and “clients” in general and unfortunately in writing.
I have worked in many organisations from many different industries and have never come across such a culture that would accept this type of written communication by any member of staff. (Apart from verbally at the pub after work of course).
Thanks for your tips on administrator management.
Once again, great post.
You have made some good points, but I believe that a solid IG program that leveraged certain key technologies would have largely limited the damage. I articulated my argument on my blog here: http://www.enterprisecioforum.com/en/blogs/robertsmallwood/what-could-have-saved-sony-even-after-br
Thank you for a thoughtful post. I agree IG would not have saved Amy Pacal’s job, but having a mature IG program would have positively impacted the situation:
1. Fewer PII and PHI documents would have been exposed.
2. The fewer PII and PHI documents that are exposed, the fewer people are harmed. That by itself is a positive impact.
3. The fewer people harmed, the fewer lawsuits against Sony. That’s a real reduction in cost.
4. And for the lawsuits that remained, one thing that the plaintiffs could not haved charged is that Sony did not have anything in place to meet their obligations for protecting their personal data. Sony would have been able to say “We had an IG program in place intended to manage and protect our data.” And I think that would have impacted the award the plaintiffs would get versus the award they may get if they can show that Sony had nothing in place to manage and protect their records.
I agree – good points, Gary, especially #4 which is the foundation for the previous 3.
They stored Social Security Numbers in Excel spreadsheets that were active. It still would have been exposed.
As for negligence, their poor security practices are all that is needed for that big lawsuit. Don’t get me wrong, having IG would be a better thing but that is a tier two system. They were broken at tier 1.
Also remember, I make my living on IG so I have no bias against IG. This breach was just so much BIGGER than what IG can deal with.
Actually spreadsheets can be protected upon creation using information rights management (IRM) software, which serves as a sort of security wrapper around the e-document throughout its life cycle. IRM controls the rights to view, edit, copy, forward, print, etc. It can even be time-sensitive (e.g. access allowed during working hours) and device sensitive (e.g. access allowed on the user’s desktop,, but not laptop). The document remains in an encrypted stated and authorization from a server or the cloud must occur each time it is opened. If the hackers somehow copied the spreadsheets and tried to open them – they would have been denied access and the spreadsheet would have been shredded virtually on whatever device it had been stored on.
Informatio Rights Management is such a pain in the A$$ that users work around it. Everywhere I’ve looked that tech has actually make content LESS secure because it is bypassed. It is good in theory, HORRIBLE in execution.
All IRM products are not equal. IMHO, the first generation ones had policy engines that were cumbersome and unwieldy, and IRM products from Microsoft and Oracle (through acquisition) are two terrible examples of this. Next generation products are much more advanced and streamlined and unobtrusive to the user. Look at IRM products from companies like WatchDox, Covertix, and NextLabs (among others) and they are light years ahead of the previous generation.
Can we curb the acronyms please? PII, PHI, IMHO etc etc
Comments are closed.