On November 24, 2014, a group of hackers, who identified themselves as the Guardians of Peace, breached the cyber security system of the film studio, Sony Pictures Entertainment, and released an estimated 38 million confidential documents. This breach resulted in the disclosure of highly sensitive information, such as employees' salaries, employees' job performance, and employees' identification information (including bank account and social security numbers). In addition to the breach of employee privacy, the incident evolved into an all-out international crisis, with threats being made regarding the safety of American citizens.
A lengthy investigation was undertaken to determine the source of the breach. It was determined that three days prior to the breach, several Sony executives received an e-mail from a group demanding monetary compensation and threatening repercussions if Sony Pictures did not comply. It is believed that since Sony did not accede to these threats, the company was hacked. Although the cause of the breach has not been publicly confirmed, it has been theorized that the hackers were able to infiltrate Sony's once seemingly impenetrable information security system, through the use of the several phishing e-mails.
A phishing e-mail is a specific type of spam that targets a person by simulating a legitimate message from a bank, government department or some other organization, in an attempt to get the individual to give up confidential information that could be used to gain access to their personal accounts. In Sony's case, investigators found a pattern with repeated phishing e-mails being sent that were fake Apple ID verification requests that asked the individual to sign into their account.
These types of messages are often very deceiving, and will usually include some form of good news to provide further encouragement for the receiver of the e-mail to trust the sender and follow the instructions in the e-mail. Often, these e-mails also attempt to incite fear, such as stating that an account has been hacked and requesting the individual to sign into their account to rectify the issue. The messages are often close depictions of common emails sent from the real organization. In many cases, the messages include logos, fonts, and similar colours to the legitimate organization. Almost always, the e-mail will include a website URL, which the individual is told to click on to take them to the organization's website. The website will closely mimic the real organization's website and require the individual to provide their confidential information by signing into the account. At this point, the individual has disclosed their login information and has become a sitting duck for the breach of their cyber security.
The Sony incident serves as an important reminder that e-mail can present a significant vulnerability in a company's cyber security system. Reinforcing this concern, a recent study found that employee targeted phishing attacks increased 55% over 2015. Therefore, it is imperative that a company take pre-emptive measures to ensure that proper software is in place to prevent access to confidential information through e-mail. More importantly, it is vital that employees receive proper training on the use of e-mail in the course of their employment.
To prevent harmful e-mails from reaching employees, a company should implement a spam filter. The spam filter will reduce the risk exposure for an organization by minimizing the number of e-mails received by an employee and decreasing the chance that an employee accidentally opens a harmful email. In addition, employees should be made aware of, and have access to, a guide outlining steps that should be taken when an employee receives a suspicious e-mail or an e-mail from an unknown sender. A company should also enforce strict password standards for all e-mail accounts associated with work. Finally, a company should use generic e-mail addresses when providing the address in a public forum (such as on their website) under the "contact us" section. This will help reduce the possibility of employees being targeted by outside parties, as their e-mail addresses will not be easily accessible.
Phishing and spam are two issues associated with incoming e-mail. However, there is equal risk presented to a company's security where sensitive information is shared in an outgoing e-mail. If transmitting or communicating sensitive information, companies should consider whether e-mail is the most secure forum. When Sony's information security system was hacked, all outgoing e-mails were accessible, which meant that any private information contained in those e-mails was accessible as well. As a result, not only did Sony have to deal with issues of breach of privacy, they also had to deal with reputational issues, as several e-mails where inappropriate comments were made by an executive, were released by the hackers to the public.
Sony's cyber security breach provides an invaluable lesson about the importance of having proper safeguards in place regarding the use of e-mail. Companies should have an accessible policy in place outlining what is appropriate to send through e-mail and strict consequences for those who do not adhere to the policy. Companies need to ensure that employees understand the severity of the consequences that inappropriate e-mails can have, as once an e-mail is drafted and sent; the comments exist indefinitely. Additionally, companies should have proper procedures in place for when an employee receives an abnormal e-mail or doesn't recognize the sender. Proper IT support should be in place so that employees have access to an immediate resource and the problem can be dealt with before it has devastating effects.
Overall, companies need to ensure that their employees receive proper training regarding the use of e-mail in the course of their employment. If an employee opens a phishing e-mail, it can (1) slow down the company's networks, servers and computers; (2) increase the company's costs while reducing its productivity; and (3) ultimately result in the breach of information security. It is equally important that companies provide adequate training on outgoing e-mail procedures as well, since employees need to always consider the content of their correspondence and whether there is a risk that confidential information could be breached if transmitted through e-mail.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
