01 Jun 2003
Up Against The Firewall
Managers and Cyber SecurityRe: David Langstaff (MBA 1981); Steve Lipner (PMD 57); Tony Tjan (MBA 1998)by Garry EmmonsTopics:
Is your company doing enough to protect itself from cyber attacks? According to several HBS faculty and alumni
experts, senior executives need to pay more attention to this potential threat. It makes good business sense and
fulfills a national security obligation as well.
Its always been someone elses problem until now. A phone call from the IT department reports that your companys
computer systems have been accessed by an intruder. Troves of business and financial data, your customers as well as
your own, have been compromised.
Is this the work of harmless hackers, or professional criminals? What, if anything, has been stolen or destroyed? Do
your systems now harbor invisible sleeper worms or viruses that will cause more damage later and perhaps move on to
attack other, outside systems? What are the companys liabilities and responsibilities to its various stakeholders
and to law enforcement? How much disclosure is legally required, and how much is appropriate ethically? How will
disclosure affect the companys stock price and prospects for attracting future business?
For any executive, its a nightmare scenario, and one thats becoming increasingly common. Even though many kinds of
cyber intrusions are not required to be reported or made public, known U.S. assaults are up nearly 300 percent since
2001, when over 52,000 cyber incidents were recorded. In that year, by some estimates, hacking accounted for $15
billion in damage to the global economy.
While no company can ever be completely safe even if a firm disconnects from the Internet, unauthorized personnel or
disgruntled employees inside the companys facilities can figure out ways to access its computers some firms,
especially those dealing in nonpublic information and finance, are more inviting targets than others for computer
criminals. But any business that uses the Internet is susceptible to indiscriminate attacks by worms and viruses,
making the firm potentially liable should those attacking worms and viruses move on to damage others systems.
Cyber security has become too serious a matter to leave to tech departments, no matter how good they may be, warns
HBS assistant professor Robert D. Austin. Thats because, more than being a technical problem, achieving cyber
security is an operational issue that requires managerial action and oversight throughout the entire organization. In
the MBA and Executive Education programs, Austin teaches a case he coauthored (with Larry Leibrock and Alan Murray)
called The iPremier Co.: Denial of Service Attack. Raising the kinds of questions and dilemmas cited above, the case
is an eye-opener for many students. Austin has become used to hearing his executive participants vow to review cyber
security safeguards and procedures once they return to their companies.
As Austin tells his students, only senior management has the authority necessary to implement the fundamental,
overarching policies that begin to address some of the essential steps toward achieving cyber security. Such actions
include assessing the value of the firms vital information, the risks to it, and the appropriate degree of
accessibility and protection it warrants. There should be regular, consistent, and welldocumented procedures and
audits regarding the handling, storage, and protection of data and infrastructure configurations. Its also important
to establish crisis management procedures, responses, and responsibilities in the event of an attack.
Despite the mounting danger posed by cyber attacks, most managers probably arent doing enough, says David H.
Langstaff (MBA 81), president and CEO of Veridian Corporation of Arlington, Virginia, a knowledgesystems company
that works extensively in the area of cyber assurance and security. Explains Langstaff, For managers, its not so
much that they dont want to think about these issues, although many would like to say Im busy, let the MIS folks
take care of it. Instead, its more likely they dont get it they dont understand the degree to which a companys
livelihood could be impaired or its brand damaged, or the extent of their vulnerability to hackers. Furthermore, they
dont realize that unless senior management, right up to the CEO, is involved in some way, this issue wont get the
attention and investment it deserves throughout the company.
Hackers can make trouble for a company without even penetrating its internal systems. Using tools readily available on
the Internet, rank novices can disable an organizations Web site, hurting business while giving the firm an
embarrassingly public black eye. More serious are the sometimes devastating and often indiscriminate internal
intrusions perpetrated by experienced hackers who exploit flaws and weaknesses in widely used software to launch their
attacks. Under the press of business and getting a product to market, some commercial software manufacturers have
indulged in a goodenough standard, says Langstaff. They reason that they can always fix problems in the next
version. Security is a variable to be managed. At some point, however, the market will favor a product that offers
Thats a message being taken to heart at Microsoft, which, by virtue of its high profile and market dominance, has
seen its software products become the targets of frequent and occasionally successful attacks. Observes Steven B.
Lipner (57th PMD), Microsofts director of security assurance, With organizations moving to a higher level of
connectivity via the Internet, security has become a major issue for everybody, both suppliers and endusers. Lipner
is in charge of Microsofts Security Response Center, which investigates suspected vulnerabilities and problems with
the companys software and orchestrates immediate action (such as posting security patches) to deal with them. He is
also involved in longerterm efforts to improve the security of all Microsoft products.
Aside from customer demand for security, Lipner explains, we believe that, for us, its an industry leadership
issue. Over a year ago, Bill Gates put a stake in the ground and said were going to focus the company on trustworthy
computing around the principles of security, privacy, availability, and business integrity. This is a major,
long-term, company-wide initiative.
HBS professor Lynda M. Applegate examines cyber security issues as part of her MBA course Building Businesses in
Turbulent Times. She sits on the advisory council for Nasdaq (for whom, she notes, cyber security is paramount) and
formerly served as an advisor to President Clintons Commission on Critical Infrastructure Protection. Everybody is
more aware of security and taking things more seriously in terms of accountability, she says. Since its almost
impossible to fully protect any network structure, the key is to install systems, policies, and procedures to detect
if anyone successfully intrudes, and then to know how to respond. Security is not just firewalls.
Indeed, a reliance on technological defenses can breed a false sense of security, since constant innovation and
increasingly complex systems create perpetually moving targets. Anthony K. Tjan (MBA 98), the cofounder and former
EVP of ZEFER, the pioneering Internet consulting firm, is now a senior partner at The Parthenon Group, a Bostonbased
consulting firm. He notes that with the rise of wireless networks has come a sometimes disturbing
lack of security. In virtually any metropolitan center these days, unsecured hot spots can be found and exploited.
It is, he says, an example of the twinheaded dilemma of new technology introducing better productivity and novelty
into the workplace before fully understanding its implications, including security concerns. Tjan stresses that one
of the most effective protections for firms is physically securing offices and equipment against unauthorized use, in
conjunction with employee education with regard to protecting the organization and the workplace environment.
Veridians Langstaff concurs. For most companies, he says, Its amazing how large a percentage of cyber attacks are
completely preventable by maintaining good systems and simple practices such as password rotation and installing
patches for known vulnerabilities. Combined with oversight and regular review of policies and procedures throughout
the organization, that should leave a company in good shape. But the responsibility for this standard has to be
explicit and must be voiced at a level above the IT department.
Concludes Lynda Applegate, If companies are participating in and connected to the networked economy, they need to
put in place the same level of security that they would for any vital resource. You dont have to be doing important
business across boundaries to have somebody break in and do a significant amount of damage. Theres not a simple,
onestop thing you can do whats required is the implementation by senior management of an entire set of
organizational responses that address infrastructure, operations, controls, and processes.