What an HR Professional can learn from Sony Hacking Scandal

Set expectations on electronic communications

​News headlines have been dominated in recent weeks by the ongoing saga related to Sony Pictures Entertainment's controversial film "The Interview." It is alleged that North Korea led a cyber attack on Sony's computer servers as a response to their plan to release the film whose plot involves the assassination of leader Kim Jon-un.

For several days, a group calling itself the "Guardians of Peace" released a series of confidential and often embarrassing data leaks from the company, including Sony employee salary details and Social Insurance Numbers. They also released the content of internal emails that severely damaged the reputations of those involved, including a thread that contained racist jokes directed at President Barack Obama.

After things escalated beyond data hacks to the threat of violent attacks if the film debuted as planned, Sony first decided to delay the release of the film. After Sony received criticism from numerous sources, including President Obama, they decided to release it in any theatres willing to show it as well as on-line. Read more (Source: Business Insider).

The idea of an external person breaching your company's internal data and sharing confidential information with the world should send a chill down the back of every HR professional and business owner. 

Many business owners might be wondering if their data can ever be truly safe. While there are cases for and against storing your data in "the cloud," ultimately each business must decide for themselves if they want to take the plunge. Services like DropBox, Google Apps for Business and Microsoft’s SkyDrive and Office 365 make moving to the cloud seem relatively easy and pain free.

But what can you, as the HR professional in your organization, do? There are several steps you can take. While you may not have any control over your company’s data after it is sent to the cloud, you are able control how data is handled within your company.

---

As a way to try to avoid the embarrassing release of emails or texts that contain content that you would not want published in the press, develop an appropriate use of email communications policy and ensure that you entire workforce (including senior executives) follow it.

Some elements that policy should contain include:

• Staff members are expected to ensure that all communications sent on behalf of the company will be created using a consistently high level of professionalism.
• Ensure that all messages use appropriate language. Inappropriate language found in communications may result in disciplinary action up to and including termination of employment.
• Use an appropriate and professional tone in the creation of email messages. It is often very difficult to determine when a person is using humour, sarcasm, or irony in an email. Please note that emails that include humour may be misunderstood, and the effects negatively impact our business.
• Remember that when you send an email, it creates a permanent electronic record. Whatever is written in your email, including content and form will be on the record for all time. Ensure that all messages sent are appropriate, and accurate in their content.

---

Bring your own device policy 

Another focus should be a Bring Your Own Device (BYOD) policy. With smart phones becoming nearly ubiquitous, many companies are allowing their employees to use their own devices, rather than provide them through the company. The trade off is a reduction in equipment cost, but a potentially higher risk of data vulnerability/loss. A BYOD policy means you can set out the terms of employees having access to company data through their personal equipment.  This policy can also be applied to employee laptops, for those employees that use their own laptop or work remotely on occasion.

---

A policy that outlines access to data should also be developed. With many cloud storage solutions, there is often a desktop version available. This allows the documents to be stored on each employee’s computer which, while convenient, can lead to disaster if an employee decides to leave and has a copy of your most valuable data on their hard drive. You must decide if the convenience is worth the potential loss of security, or if you want to insist your data is to remain in the cloud only.

---

How will the data be accessed? 

​Employee procedures:

Another item in your arsenal should be to include a definitive procedure to follow when an employee leaves your organization.  This could be a checklist that runs through all the steps that must be taken when an employee moves on, regardless of the circumstances. Forgetting a simple thing like having keys returned means your office could be vulnerable.

Things on your list should include: removing the employee’s passwords, alarm codes (if applicable) ensuring the return of any company property –i.e. keys, laptops, etc. 

---

A good time to review these steps would be when you first hire an employee. While it may be a bit awkward during hiring process to review the policies and procedures regarding an employee that is leaving the organization, this helps ensure that the employee understands and agrees to the terms of employment.

---

Need helping developing policies? Let the team at Clear Path put their expertise to work for you.

---

We'd love to connect with you!