WASHINGTON — Q: I keep hearing about encryption because of the Sony hack, but how exactly do I get it set up for my business?
A: There isn’t enough space in this column to cover all the lessons that can be learned from what continues to come out of the Sony Pictures massive hacking event.
The importance of encryption is a big one, because it can provide an excellent level of security even if cyber thieves make off with thousands of sensitive files via a compromised computer.
Anytime everyone has access to everything on a business network without any real security, hackers need only compromise one user to wreak havoc for everyone (the likely scenario in the Sony hack).
Encryption acts as another security barrier that will generally cause the hackers to move on because of the time that it will take to break.
Encryption technology is built into most operating systems; Windows has BitLocker for workstations and servers while Mac OS X has FileVault. Or you can use one of many encryption programs from third-party companies.
But before you make any decisions to start encrypting your data, you really should review all of the options, pros, cons, security and backup measures to make sure you don’t inadvertently lock yourself out of your own data.
Encryption strategy needs to be thought through, so make sure you consult your IT support group before you get started.
Another simple step that Sony could have taken to protect data would be to create individual passwords for sensitive data files. Just about every type of business program you use has an option to password-protect individual files. Sony had 140 clearly labeled but unprotected password files that contained thousands of private passwords, a hugely embarrassing technical faux pas!
First off, saving a file that has the word “password” anywhere in the name is pretty much a magnet for hackers, but storing the information in plain text with no encryption or even a file password is crazy.
Remember, hackers are very good students of human behavior, so scanning all files for the word “password” is generally one of the first things they’ll do after a break-in.
Email has become such a liability from a security standpoint because it’s the intrusion method of choice whenever a company is being targeted.
Cleverly crafted emails can get even the most tech-savvy users to fall for tricks. Imagine getting a message that appears to be from your CEO announcing that the company is being acquired. If the message included a document that “explained the acquisition process” and how it would “affect your job,” you’d probably open it without hesitation.
To help employees easily sniff out fake internal email messages, I’ve been encouraging businesses to consider alternative channels such as private Intranets, instant messaging or private social networks as the primary trusted resource for internal communications.
Follow @WTOP and @WTOPtech on Twitter and and WTOP on Facebook.