Sony reminds us all what a pathetically weak link email is

We all rely on email too much to share and archive sensitive information, and we're all at risk.

Sony is reliving the nightmare that its hacked databases gave rise to late last year, now that Wikileaks has thoughtfully published all of the leaked documents in a searchable database. Really, they are the most courteous hoodlums ever.

But anyone in corporate IT who looks at Sony and feels smug rather than there-but-for-the-grace-of-God humble could be in for an unpleasant surprise of his own. Because the truth is, all IT departments are incredibly exposed when it comes to email.

And, let's face it, no one wants to be in Sony's position, which currently is to have its lawyers send letters to the media asking that they not cover the story. Seriously. Sony apparently feels that its best option right now is to shame people into not talking about all the information that's now available to anyone with an Internet connection. Sony "does not consent to your possession, review, copying, dissemination, publication, uploading, downloading, or making any use of the Stolen Information," penned David Boies in the April 17 letter, according to a report in Bloomberg News.

Getting out in front of this sort of situation is not simply a matter of stamping out the bad things that can show up in emails, things such as racist or sexist comments, illegal discussions and bad utterances about major customers. Your company can just as well be embarrassed by the emails that are simply the mundane, everyday communications of a business. There's nothing wrong with a team agreeing to negotiating parameters before working out a contract ("We've got a green light for no more than $15 million, but let's offer $10 million and see where things go"), but the publication of those discussions -- even months after the deal has been signed -- could alienate partners.

With all of the sensitivity inherent in the contents of email, it's frightening to take a close look at how stunningly insecure it is. What if someone wants to sell out? Numerous people in IT have full access. And if the messages are hosted by a third-party, the number of people who have the ability to leak the data soars. But let's say all of those people are honest and incorruptible -- you can still find yourself in trouble. All it takes is for some reasonably convincing social engineering to trick just one of those people into granting access, which is what happened with Sony.

Of course, bribery and social engineering don't exhaust the routes into your email. Let's say someone in your company sends out an email to a few dozen people in which sensitive issues are discussed. How many of those people will access the e-mail at home without using a VPN, so that the message can be sniffed in transit? Of those who use a VPN, how many will mindlessly include the message in their next backup, storing the backup file any old place? How many others will access the message on insecure mobile devices? Now suppose one of those mobile devices is lost. And suppose it's lost at a trade show, where your direct rivals are lurking around every corner. Or maybe someone will decide to print out a bunch of emails to read offline on the plane. Later, bleary-eyed from the travel, he leaves the printouts at an airport coffee shop.

Embarrassments like the Sony debacle are sure to hit more companies -- when an attack is as successful and highly publicized as this one was, copycat attacks are all but dictated by human nature. Before it happens to you, you really need to rethink using such an insecure mechanism for communicating and cataloguing your corporation's most sensitive and private interactions.

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for, RetailWeek and eWeek. Evan can be reached at and he can be followed at Look for his column every other Tuesday.

Join the CSO newsletter!

Error: Please check your email address.

Tags emaildata securitysecuritybecasonydata protectionBloomberg

More about BloombergNewsSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Evan Schuman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place