by Rob Enderle

Sony Scandal Highlights Why We Need to Rethink Email

Dec 12, 20145 mins
IT LeadershipPrivacySecurity

Email isn’t as secure as it once was -- and it was never that secure to begin with. The recent Sony scandal proves that you need to remind employees that email isn’t private and it could become public accidentally or on purpose.

I woke up Thursday morning hearing about what some producer had written about Angelina Jolie. The night before I’d watched a Daily Show episode where she was lauded as one of the best in her industry and the leaked email from a Sony executive provided an equally descriptive counterpoint. As with anything involving a celebrity it was getting national coverage and it was far from the only juicy email.

The Sony executive is trying to mitigate the fallout by attempting to get people to focus on the folks that hacked into Sony and not the juicy email and, as you might expect, it isn’t working very well.

Before social media, email was how most folks got themselves fired for speaking without thinking. I recall one instance at a firm where I worked where a female employee asked for some help and her manager wrote a note to his manager with the request authorizing it but making some inappropriate side comments about her color, her sex and how unattractive she was.   He mistakenly copied her on the note.

[Related: Sony Working to Remove Stolen Films From File-Sharing Sites and North Korea Denies Role in Sony Hack ]

The employee’s brother, it turned out, was an attorney specializing in labor litigation. That one email cost both managers their jobs and resulted in a big payment to the employee. She then left the company.  

Disney’s Example of ‘On Stage’ vs. ‘Off Stage’ Appropriate Behavior

One of the things that stuck with me after attending Disney University was the concept of “on stage” and “off stage” that is shared by others. At Disney, any time you were in uniform or working at the park you were considered to be “on stage” and expected to act accordingly.   What you do at home wasn’t a concern, but you were to act as if you were on camera anytime anyone else could see you as a part of the company.

This isn’t always easy. There was an incident where someone got in with a knife and attempted to stab a costume-wearing employee (thinking he was a cartoon). In addition, there was a number of attempts to beat these employees up (you are pretty helpless in a costume). Kids would form mobs and make a run at merchandise, and attack the people working the concession stands.

[Slideshow: Keeping Your Data and Email Secure — No Matter the Industry ]

In all cases, the Disney employee was to act appropriately even though some wanted to do anything but. For the most part, though, even under extreme duress, acting appropriately wins out. (I spoke to the guy that the kid had attempted to stab and he was rightfully frightened, but never broke the rule).

Email Isn’t Secure

We have come to realize that social media is like public email, but we are also discovering that email just isn’t as secure as it once was and, actually, it was never as secure as we thought it was. It forms a record of what we might otherwise say and we often, in a rush, write without thinking of the broad implications of what might happen if that email made it to a customer, management, another employee, or, as Sony discovered, the world at large.  

Eric Snowden showcased what could happen if a systems administrator went sideways, and there will always be people with permissions that do unexpected things. With governments increasingly getting into the game of attacking firms and other governments (recall the recently leaked diplomatic emails), we and our employees need to consider the implication that anyone may see what we write.

[Related: Home Depot Says 53 Million Email Addresses Compromised During Breach ]

Some obvious problems are employees who use company email to discuss politics and politicians, topical subjects like causes behind the current nationwide demonstrations (and potentially organizing some of them) and derogatory comments about products or customers.   Recall the derogatory communication from a now ex-Oracle executive about the hardware Oracle sold. They went viral.  

Warning: Email Isn’t Private

Employees need to be reminded that email isn’t private, and it may become public accidentally or on purpose. They need to think about that before they hit send. Avoid discussions not pertaining to business that could reflect badly on the company. Avoid inflammatory language, off-color jokes (jokes in company email generally are a bad idea, given folks often use poor judgment here) and when possible keep things brief and to the point. One of the things that made Steve Ballmer stand out is that he could say in three words what took others several sentences.   Keeping it brief can save a lot of pain later.

There is a tendency to look at things like the Sony scandal and think this couldn’t happen to me. But it can. Years ago I issued an internal report with great detail on the problems in the company and with the products — it was my job as competitive analyst.

The report was leaked to a customer and even though it was heavily and appropriately secured, I almost lost my job anyway. Fortunately, I was able to trace the leak, but I learned the hard way that what I wrote could go places I’d never intended. If employees are taught that same lesson before something happens, such as a litigation discovery or a leak like Sony’s, their jobs will be much more secure.