What small businesses can learn from the Sony hack

In the wake of the Sony breach, many business owners have asked us about how they can protect their businesses from such a data leak.

First, it is important to remember that this was a deliberate, sophisticated attack from hackers with an agenda against Sony which initially forced Sony to cancel the release of the movie, "The Interview," in major theaters. There is also speculation that these hackers had inside help. (See New York Times report.) Second, there are several precautions that Sony could have taken that may have helped protect them from this data breach. Like many large corporations that use connections, such as AT&T MPLS, between their offices that are not connected to the internet, today's mobile, internet-connected world often encourages creating doors into these closed networks to allow for more convenient access to the data. These "doors" run the risk of being unlocked and accessible to outside unauthorized connections. 

Large companies such as Sony have IT budgets that can support bringing backup solutions and other cloud services in-house without the need to connect the corporate network to the Internet. For further security, they can set up separate Internet-connected networks that wireless devices can connect to which are completely separated from the corporate network. However, it seems these protocols were not followed in Sony's case, and, unfortunately, that company has paid the price with a data leak that included sensitive information about salaries, internal correspondences, many hurt feelings, and walking away from a movie that was anticipated to be a moderate hit at the theaters during the holidays.  

While bringing technology in-house and developing separate networks may be feasible for large companies, smaller companies cannot afford to bring all their solutions in-house and need online backup and many of the other cloud services that allow them to compete with larger companies. You can’t get those without Internet access.  Also, most modern software assumes Internet access – for instance,  Microsoft Windows 8 and Apple OSX update all the time and nearly all iOS functionality requires Internet access. 

There are several ways small businesses can minimize risk, even when using cloud technologies, and it is important to look at two sides of the data security equation:  

  1. In-house solutions – establishing strong internal security protocols; and 
  2. Outsourced  solutions – using external technology that offers proactive security solutions.

Internal security protocols should, first and foremost, be easy to use so they indeed get implemented. While there are a number of ways to reduce the risk of a data breach, here are some of the easiest and least expensive solutions we recommend to small businesses:

  • Generate a different password for each online account
  • Change your passwords every 3-6 months and don’t reuse them
  • Consider using a password generation and management solution, however, if you generate your own password, it should contain upper and lowercase letters, punctuation, a number and be 8-14 characters long
  • Do not store your password list in the cloud, such as on Google Docs or Dropbox
  • Consider a two-step verification on services that provide it such as those solutions that ask for a mobile number as well as a password
  • Limit access to sensitive data to only those who need it
  • Keep a list of all the systems your company uses and who has permission to access to them and updated the list at least once a year, more often if you have high employee turnover. 
  • Remove any unused technology because it is another security risk that may hold data that would be more safely stored off site

When outsourcing solutions, organizations should work with technology providers that implement and improve their data security solutions proactively. Tech companies have different philosophies about security and small companies should try to identify the ones who make security a priority and seamless for the end-user. Sinu researches and tests solutions that provide fast, dynamic security solutions. For example, we look for tech partners who will patch a security hole within hours across all their solutions as opposed to just putting a patch up on their website and washing their hands of the problem. 

Here at Sinu we take security seriously, and the technology solutions we offer as part of our platform do, as well. We also understand that there is a fine balance between keeping data secure while having the ability to access it when and where you need it.  If you have any questions, we would be happy to discuss best practices for your company's security protocols and how the Sinu Solution is built to help protect your data while keeping your employees productive.