How an email audit would've stopped North Korea from getting Sony Pictures CEO fired

That’s what occurred to me when Amy Pascal the head of Sony Pictures was effectively fired earlier today. North Korea, who was pissed about the movie “The Interview” effectively got the woman fired as a result of their successful data breach a few weeks ago though there is some dispute whether she was fired because of Sony’s horrid security or what was actually in the emails that were made public (from the way this was done you could argue the latter).

Coincidently I’d received a funded survey from Varonis (they specialize in data security and access) showcasing the specific problems that appeared to have caused the Sony breach were common in around 80 per cent of the firms in the world and that means the next CEO that gets fired could be yours.

Let’s talk about the sorry state of information security this week.

Internal Audit

I spent a considerable amount of time in corporate internal audit for one of the biggest IT companies in the world and it still amazes me what I and other teams ran into during an audit. The worst intellectual property breach I ran into, however, came years later when one of my own highly secure documents was intentionally leaked by an Executive VP to a competitor either to make me look bad or because he was interviewing there (we never did find out which).

Back then we did a lot of stuff on paper but even so I’d learned to be creative on how I tracked documents because I’d anticipated such a leak from my audit background. Since I’d missed getting fired by the skin of my teeth thinking about information security had become second nature and recent events suggest that a similar mind set should become a priority in most companies.

Fired By Email

One of the nastiest firings I’d ever seen came as a result of an email that went to the wrong place. What had happened was that a very talented black female sales rep had asked her boss for some resources and he wrote an email to his boss reflecting unfavorably on her race and appearance and that second line manager responded in much the same tone. At some point in this ill-advised exchange someone accidentally copied the sales rep who had a brother who was an attorney specializing is discrimination cases. She quit, successfully sued the firm, and both managers were terminated. One went out the door making death threats against the executive management of the firm (which kind of implied we should have fired him a long time earlier).

It is amazing what people put in email that they think others won’t see forgetting that email isn’t private and the Sony CEO’s termination does appear to at least be partially connected to some equally ill-advised correspondence.

Folks do need to remember that company email can be audited and free email services aren’t known for being particularly secure. Putting ill-advised comments in an email can end a friendship, marriage, or career and companies are often advised to regularly audit email so that problems that could result in litigation are caught before they do.

Wrapping Up:  Getting Your Arms Around The Problem

Now the study I pointed to above showcases that across a broad swath of companies good security practices simply aren’t being followed. What is ironic is that the study also showcased that employees often can’t find the internal information they need. This makes this information more often a liability than an asset and you can see why Varonis funded the study because their specialty is fixing that very problem but that doesn’t make the problem itself false.

Weather it is Amy Pascal’s firing or the equally visible and likely more troubling Anthem Insurance breach which also happened this week you are on notice that information security, or the lack of it in this case, is a potential career and company killer. I’d strongly suggest putting together an audit to see just how bad it is at your firm and mitigate the problems found before they become a nightmare for you.