Close
  • Français
  • English

2015/01/12Edito – Another Lesson from the Sony Attack [by Bruce Schneier]

Thousands of articles have called the December attack against Sony a wake-up call to industry. Regardless of whether the attacker was the North Korean government, a disgruntled former employee, or a group of random hackers, the attack showed how vulnerable a large organization can be, and how devastating the publication of its private correspondence, proprietary data, and intellectual property can be.

But while companies are supposed to learn that they need to improve their security against attack, there’s another equally important but much less discussed lesson of the Sony attacks: companies should have an aggressive deletion policy.

One of the social trends of the computerization of our business and social communications tools is the loss of the ephemeral. Things we used to say in person or on the phone we now say in e-mail, by text message, or on social networking platforms. Memos we used to read and then throw away now remain in our digital archives. Big data initiatives mean that we’re saving everything we can about our customers, on the remote chance that it might be useful later.

Everything is now digital, and storage is cheap — why not save it all?

Sony illustrates the reason why not. The hackers published old e-mails from company executives that caused enormous public embarrassment to the company. They published old e-mails by employees that are resulting in class-action lawsuits against the company. They published old documents. They published everything.

If Sony had had an aggressive data deletion policy, much of that couldn’t have been stolen and published. Saving data brings with it a security risk: the risk of exposure. The exposure could be accidental. It could be the result of data theft, as happened to Sony. Or it could be the result of litigation. Whatever the reason, the best security against these eventualities is not to have the data in the first place.

An organizational deletion policy makes sense. Customer data should be deleted as soon as it isn’t immediately useful. Internal e-mails can probably be deleted after a few months, and other documents in one to two  years. There are exceptions, of course, and individuals should be able to flag documents and correspondence for longer retention. But unless there are laws requiring an organization to save a particular type of data for a prescribed length of time, data deletion should be the norm.

This has always been true, but many organizations have forgotten it in the age of big data. I hope we’ll all remember it now.