01 Jun 2003

Up Against The Firewall

Managers and Cyber Security
Re: David Langstaff (MBA 1981); Steve Lipner (PMD 57); Tony Tjan (MBA 1998)
by Garry Emmons


Is your company doing enough to protect itself from cyber attacks? According to several HBS faculty and alumni experts, senior executives need to pay more attention to this potential threat. It makes good business sense — and fulfills a national security obligation as well.

It’s always been someone else’s problem — until now. A phone call from the IT department reports that your company’s computer systems have been accessed by an intruder. Troves of business and financial data, your customers’ as well as your own, have been compromised.

Is this the work of harmless hackers, or professional criminals? What, if anything, has been stolen or destroyed? Do your systems now harbor invisible “sleeper” worms or viruses that will cause more damage later and perhaps move on to attack other, outside systems? What are the company’s liabilities and responsibilities to its various stakeholders — and to law enforcement? How much disclosure is legally required, and how much is appropriate ethically? How will disclosure affect the company’s stock price and prospects for attracting future business?

For any executive, it’s a nightmare scenario, and one that’s becoming increasingly common. Even though many kinds of cyber intrusions are not required to be reported or made public, known U.S. assaults are up nearly 300 percent since 2001, when over 52,000 cyber incidents were recorded. In that year, by some estimates, hacking accounted for $15 billion in damage to the global economy.

While no company can ever be completely safe — even if a firm disconnects from the Internet, unauthorized personnel or disgruntled employees inside the company’s facilities can figure out ways to access its computers — some firms, especially those dealing in nonpublic information and finance, are more inviting targets than others for computer criminals. But any business that uses the Internet is susceptible to indiscriminate attacks by worms and viruses, making the firm potentially liable should those attacking worms and viruses move on to damage others’ systems.

“Cyber security has become too serious a matter to leave to tech departments, no matter how good they may be,” warns HBS assistant professor Robert D. Austin. “That’s because, more than being a technical problem, achieving cyber security is an operational issue that requires managerial action and oversight throughout the entire organization.” In the MBA and Executive Education programs, Austin teaches a case he coauthored (with Larry Leibrock and Alan Murray) called “The iPremier Co.: Denial of Service Attack.” Raising the kinds of questions and dilemmas cited above, the case is an eye-opener for many students. Austin has become used to hearing his executive participants vow to review cyber security safeguards and procedures once they return to their companies.

As Austin tells his students, only senior management has the authority necessary to implement the fundamental, overarching policies that begin to address some of the essential steps toward achieving cyber security. Such actions include assessing the value of the firm’s vital information, the risks to it, and the appropriate degree of accessibility and protection it warrants. There should be regular, consistent, and well–documented procedures and audits regarding the handling, storage, and protection of data and infrastructure configurations. It’s also important to establish crisis management procedures, responses, and responsibilities in the event of an attack.

Despite the mounting danger posed by cyber attacks, most managers probably aren’t doing enough, says David H. Langstaff (MBA ’81), president and CEO of Veridian Corporation of Arlington, Virginia, a knowledge–systems company that works extensively in the area of cyber assurance and security. Explains Langstaff, “For managers, it’s not so much that they don’t want to think about these issues, although many would like to say ‘I’m busy, let the MIS folks take care of it.’ Instead, it’s more likely they don’t get it — they don’t understand the degree to which a company’s livelihood could be impaired or its brand damaged, or the extent of their vulnerability to hackers. Furthermore, they don’t realize that unless senior management, right up to the CEO, is involved in some way, this issue won’t get the attention and investment it deserves throughout the company.”

Hackers can make trouble for a company without even penetrating its internal systems. Using tools readily available on the Internet, rank novices can disable an organization’s Web site, hurting business while giving the firm an embarrassingly public black eye. More serious are the sometimes devastating and often indiscriminate internal intrusions perpetrated by experienced hackers who exploit flaws and weaknesses in widely used software to launch their attacks. “Under the press of business and getting a product to market, some commercial software manufacturers have indulged in a ‘good–enough’ standard,” says Langstaff. “They reason that they can always fix problems in the next version. Security is a variable to be managed. At some point, however, the market will favor a product that offers better security.”

That’s a message being taken to heart at Microsoft, which, by virtue of its high profile and market dominance, has seen its software products become the targets of frequent and occasionally successful attacks. Observes Steven B. Lipner (57th PMD), Microsoft’s director of security assurance, “With organizations moving to a higher level of connectivity via the Internet, security has become a major issue for everybody, both suppliers and end–users.” Lipner is in charge of Microsoft’s Security Response Center, which investigates suspected vulnerabilities and problems with the company’s software and orchestrates immediate action (such as posting security patches) to deal with them. He is also involved in longer–term efforts to improve the security of all Microsoft products.

“Aside from customer demand for security,” Lipner explains, “we believe that, for us, it’s an industry leadership issue. Over a year ago, Bill Gates put a stake in the ground and said we’re going to focus the company on trustworthy computing around the principles of security, privacy, availability, and business integrity. This is a major, long-term, company-wide initiative.”

HBS professor Lynda M. Applegate examines cyber security issues as part of her MBA course Building Businesses in Turbulent Times. She sits on the advisory council for Nasdaq (for whom, she notes, cyber security is paramount) and formerly served as an advisor to President Clinton’s Commission on Critical Infrastructure Protection. “Everybody is more aware of security and taking things more seriously in terms of accountability,” she says. “Since it’s almost impossible to fully protect any network structure, the key is to install systems, policies, and procedures to detect if anyone successfully intrudes, and then to know how to respond. Security is not just firewalls.”

Indeed, a reliance on technological defenses can breed a false sense of security, since constant innovation and increasingly complex systems create perpetually moving targets. Anthony K. Tjan (MBA ’98), the cofounder and former EVP of ZEFER, the pioneering Internet consulting firm, is now a senior partner at The Parthenon Group, a Boston–based consulting firm. He notes that with the rise of wireless networks has come a sometimes disturbing lack of security. In virtually any metropolitan center these days, unsecured “hot spots” can be found and exploited. It is, he says, an example of “the twin–headed dilemma of new technology — introducing better productivity and novelty into the workplace before fully understanding its implications, including security concerns.” Tjan stresses that one of the most effective protections for firms is physically securing offices and equipment against unauthorized use, in conjunction with employee education with regard to protecting the organization and the workplace environment.

Veridian’s Langstaff concurs. For most companies, he says, “It’s amazing how large a percentage of cyber attacks are completely preventable by maintaining good systems and simple practices such as password rotation and installing patches for known vulnerabilities. Combined with oversight and regular review of policies and procedures throughout the organization, that should leave a company in good shape. But the responsibility for this standard has to be explicit and must be voiced at a level above the IT department.”

Concludes Lynda Applegate, “If companies are participating in and connected to the networked economy, they need to put in place the same level of security that they would for any vital resource. You don’t have to be doing important business across boundaries to have somebody break in and do a significant amount of damage. There’s not a simple, one–stop thing you can do — what’s required is the implementation by senior management of an entire set of organizational responses that address infrastructure, operations, controls, and processes.”


Post a Comment