It’s Easy To Point Fingers at Sony

Ivan David Gomez Arce/Flickr

As the world gets their gossip fix at Sony’s expense, I find myself marveling at the hubris. It’s easy to point fingers at Sony and the executives who’ve had their private conversations aired for the world to scrutinize, but Sony is hardly unique in their distress.

Could Sony Pictures have done more to protect their digital assets? Most likely. But in recent weeks we’ve also seen hacks of the tech media site Ars Technica and ICANN, the very organization that controls the registration of URLs worldwide.

I’m guessing both of them take their infosecurity seriously. And yet they found themselves sending out notifications to customers just the same. You likely haven’t heard about it, as they’re not the sort to employ movie and rap stars, but they suffered much the same fate. Both organizations, and many others like them, now have privacy professionals doing the hard work of cleaning up the mess left behind by malicious actors.

I’m quite certain that while the media and other commentators marvel at Sony’s supposed bumbling, executives in C suites the world over are calling their IT folks and asking, “Could that happen to us? Do we have a plan in place if it does?”

The answer to the first half is, “yes it could, and it probably will.” The answer to the second? If you’re one of the nosey parkers laughing at Sony, it better not be, “I hope so.”

In this new era of seemingly omnipotent hackers, it’s not enough to build ever higher and stronger walls in an attempt to keep out the bad guys. Rather, every organization must also be fostering an environment of privacy and security awareness so that when the hack happens, it’s just another annoyance to be dealt with, like a water-main break or a lightning strike, rather than a calamitous event that threatens the very fiber of the business.

Employees of all stripes – truly, anyone who handles data – need to have issue-spotting capabilities to identify sensitive data, make sure it’s cared for properly (encryption, anonymization, destruction, whatever’s appropriate), and raise a red flag when something just doesn’t seem right.

Should the worst occur, there must also be professionals ready to execute the proper notifications, communicate with the appropriate regulators, and communicate directly and transparently with the countless angry customers and employees.

Of course, many businesses are already realizing this and putting plans in place. The results of our recent research as part of our Privacy Industry Index show that some $2.4 billion is already being spent on privacy in the Fortune 1000, and we target that to increase to $3 billion in 2015, with the addition of at least 950 full-time privacy professionals and another 2,000 employees with privacy as part of their roles in the organization.

Sometimes, committing to privacy involves a simple concession: No, Mr. CEO, you can’t have admin privileges on your laptop because you simply aren’t as well trained in identifying malware as our IT department is. Sometimes it’s a much larger effort: Just because you can collect location data with your new app doesn’t mean you actually need to. It’s up to the company’s leadership to convey to the marketing team that while customer information can be useful, it should not be gathered whenever possible and without proper notification.

It is the CEO and leadership in general who must make it clear to the entire organization that collections of sensitive data create risk just as they create value. Yes, it’s convenient to have a single spreadsheet with all of the historical salary and benefits data in it, but it’s also terribly risky. Yes, it’s valuable to have a single spreadsheet with all of your customers’ purchasing data in it, but it’s also terribly risky.

In the end, the risk isn’t that you’re going to be hacked. The risk is that you’re going to be hacked and the hackers will find valuable stockpiles of data. Worse yet, you have no plan in place to respond and mollify those affected.

If the stockpiles don’t exist, if the organization understands the risk and takes steps on a daily basis to avoid it or respond to it, the hack becomes just another annoyance to be dealt with in the course of doing business and falls way down the list on every company’s risk register.

This Sony hack is certainly a wake-up call to re-examine your infosecurity practices, but please don’t think more software and better systems engineering is going to make you safe from malicious actors. Only a culture that has privacy and security at its core can begin to mitigate that kind of risk.

J. Trevor Hughes is the president and CEO of the International Association of Privacy Professionals (IAPP).