Holiday cheer is in short supply for employees of Sony Pictures Entertainment. The November cyberattack itself was bad enough, but the salt in Sony Pictures' wounds is the revelation that its company-wide security practices were embarrassingly bad.
Sony Pictures is far from the only company that needs to improve its security chops. Even if your company isn't making a movie about Americans trying to assassinate Kim Jong-Un, you'll still want to check out these tips from security expert Troy Hunt on what to do if your company gets hit with a cyberattack.
"How many people think the practices we're all ridiculing Sony for are exceptional and not just the norm in large [corporations]?" Hunt asked in a post on his blog.
For example, how many employees use weak or default passwords to secure their work information? Whether it's signing into your email, connecting to the office Wi-Fi network or even managing your company's Twitter account, a good password can do a lot to stand between attackers and important corporate information.
How does your company store and manage those passwords? The troves of corporate files the hackers posted online revealed that Sony Pictures had stored hundreds of thousands of passwords in unencrypted Word documents and Excel spreadsheets.
"Go and ask your marketing folks or your corporate affairs folks or whoever manages these accounts -- 'where do you store your passwords?' -- and see what sort of response you get," Hunt wrote. "In all likelihood, it won’t be pretty."
Then there's company email. Hunt advises employees to assume that anything sent over company email networks (or any email networks, really), might someday come to light. If you must make rude, risque or racist comments (now do you really?) don't make them on company email, as some Sony executives are now learning the hard way.
"As with sensitive data of other kinds, you can apply a really simple rule to email: You cannot lose what you do not have," Hunt wrote. "Show some restraint, and that's one problem you won't be dealing with."
On the software-development side, Hunt also pointed out that many companies test in-development software using real company information, sometimes even including company records.
"Here's the sobering reality about all this: Getting anyone to care is hard," Hunt said.
That's especially true before a disaster strikes, when the threat of cyberattack doesn't seem real. But some small changes on an individual basis can still help improve your own security, as well as that of your whole company.