Money

Sony hack: Questions to ask your employer about data security

The hack of Sony Pictures Entertainment was a reminder to many people that every company, big or small, can be the target of devastating attacks. It's natural to be worried — but you can put your mind to rest, and perhaps even spur change at your own workplace, by asking the powers that be a few of the following questions. No technical knowledge required!

Could this kind of hack happen to us?

The answer is almost certainly yes. "While Sony may have been a target 'ripe for hacking' according to industry reports, the fact is that a number of well-armed companies have also fallen victim to IT security hacks," Feris Rifai, CEO of security outfit Bay Dynamics, said in an email.

But while breaches may not be preventable (and your company should admit as much), the damage they do can be minimized.

What are we doing to prevent or mitigate hacks?

"At a minimum, companies need to have proper access control around sensitive data," Craig Williams, security outreach manager at Cisco Talos, said in an email. That means password protecting anything worth stealing. After all, if anybody can see or modify sensitive files, that means anybody's compromised computer can leak them.

Sony appears to have failed to do this, leaving everything from unreleased films to financial data open for anyone to peruse, experts say. "This is a cautionary tale for companies who, if they are not already doing it, need to reevaluate their security policies and architecture," said Williams.

Is there a detailed, concrete plan in place should the worst happen and hackers gain access? 

Improvising is not a good idea when there are federal laws, medical and payroll information, and perhaps customer data involved! A company's cybersecurity plan should detail how and when a breach will be disclosed, who it will be disclosed to, and any services that may need to be provided, such as identity theft or credit protection for those affected.

If we do get hacked, what data of mine is at risk?

Every company operates differently, and every hack is different. If all your email is kept on company servers, for instance in your Outlook account, then a breach could easily encompass that. The same goes for cloud accounts you share with your company — a Dropbox folder, Google calendar, or web email address used for work purposes.

What about my insurance, medical, and bank records? 

If they're tracked internally, this is something you'll want to know ahead of time, so you can act fast should they be compromised.

Am I under any legal restraints regarding hacks and leaked data? 

This might sound a little weird, but some companies make you sign a contract that prevents you from suing in the case of a hack or other incident. On the other hand, they may have measures in place to protect those same employees or provide free services.

What can I do to keep myself safe?

"The human element is critical in cyber security," Ian Amit, vice president of ZeroFOX, said in an email. "Security teams need to be educating their people on safe practices, testing their organization for behavioral vulnerabilities." You're a very important element of the security system, whatever your title at work, because every user can potentially help or harm the whole company. If they have advice for you, better take it.

Does everyone know what to watch out for? 

Strange email attachments, links from unknown senders, sudden requests to change or provide passwords — all could mean trouble. Sophisticated threats like phishing can easily resemble official emails, so your company's IT department should help you learn the difference.

Who at your company should you tell if your computer starts acting weird, or if you think it's been infected with malware? 

Hacks don't always replace your desktop with a scary picture, like at Sony — in fact, that's pretty rare. Small changes may indicate major problems behind the scenes, so don't hesitate to bring them up.

On that note: don't use work computers or services for personal purposes. That means no storing photos on your work laptop, no ordering things online from your desk, and no sending selfies with your work phone! If a breach were to occur, all this information would be out in the open.

Does your company enforce strong passwords? 

The Sony hack revealed extremely poor password discipline at the company: important accounts were reportedly accessed with "123456" or "password," and many passwords were stored or emailed in plain text for anyone to see. Bad idea! Use strong passwords and change them regularly, including after any breach or malware is detected. You don't even need to remember them all — that's why there are password managers like LastPass.

TOP