Stories
Stories
Up Against The Firewall
Is your company doing enough to protect itself from cyber attacks? According to several HBS faculty and alumni experts, senior executives need to pay more attention to this potential threat. It makes good business sense and fulfills a national security obligation as well.
Its always been someone elses problem until now. A phone call from the IT department reports that your companys computer systems have been accessed by an intruder. Troves of business and financial data, your customers as well as your own, have been compromised.
Is this the work of harmless hackers, or professional criminals? What, if anything, has been stolen or destroyed? Do your systems now harbor invisible sleeper worms or viruses that will cause more damage later and perhaps move on to attack other, outside systems? What are the companys liabilities and responsibilities to its various stakeholders and to law enforcement? How much disclosure is legally required, and how much is appropriate ethically? How will disclosure affect the companys stock price and prospects for attracting future business?
For any executive, its a nightmare scenario, and one thats becoming increasingly common. Even though many kinds of cyber intrusions are not required to be reported or made public, known U.S. assaults are up nearly 300 percent since 2001, when over 52,000 cyber incidents were recorded. In that year, by some estimates, hacking accounted for $15 billion in damage to the global economy.
While no company can ever be completely safe even if a firm disconnects from the Internet, unauthorized personnel or disgruntled employees inside the companys facilities can figure out ways to access its computers some firms, especially those dealing in nonpublic information and finance, are more inviting targets than others for computer criminals. But any business that uses the Internet is susceptible to indiscriminate attacks by worms and viruses, making the firm potentially liable should those attacking worms and viruses move on to damage others systems.
Cyber security has become too serious a matter to leave to tech departments, no matter how good they may be, warns HBS assistant professor Robert D. Austin. Thats because, more than being a technical problem, achieving cyber security is an operational issue that requires managerial action and oversight throughout the entire organization. In the MBA and Executive Education programs, Austin teaches a case he coauthored (with Larry Leibrock and Alan Murray) called The iPremier Co.: Denial of Service Attack. Raising the kinds of questions and dilemmas cited above, the case is an eye-opener for many students. Austin has become used to hearing his executive participants vow to review cyber security safeguards and procedures once they return to their companies.
As Austin tells his students, only senior management has the authority necessary to implement the fundamental, overarching policies that begin to address some of the essential steps toward achieving cyber security. Such actions include assessing the value of the firms vital information, the risks to it, and the appropriate degree of accessibility and protection it warrants. There should be regular, consistent, and welldocumented procedures and audits regarding the handling, storage, and protection of data and infrastructure configurations. Its also important to establish crisis management procedures, responses, and responsibilities in the event of an attack.
Despite the mounting danger posed by cyber attacks, most managers probably arent doing enough, says David H. Langstaff (MBA 1981), president and CEO of Veridian Corporation of Arlington, Virginia, a knowledgesystems company that works extensively in the area of cyber assurance and security. Explains Langstaff, For managers, its not so much that they dont want to think about these issues, although many would like to say Im busy, let the MIS folks take care of it. Instead, its more likely they dont get it they dont understand the degree to which a companys livelihood could be impaired or its brand damaged, or the extent of their vulnerability to hackers. Furthermore, they dont realize that unless senior management, right up to the CEO, is involved in some way, this issue wont get the attention and investment it deserves throughout the company.
Hackers can make trouble for a company without even penetrating its internal systems. Using tools readily available on the Internet, rank novices can disable an organizations Web site, hurting business while giving the firm an embarrassingly public black eye. More serious are the sometimes devastating and often indiscriminate internal intrusions perpetrated by experienced hackers who exploit flaws and weaknesses in widely used software to launch their attacks. Under the press of business and getting a product to market, some commercial software manufacturers have indulged in a goodenough standard, says Langstaff. They reason that they can always fix problems in the next version. Security is a variable to be managed. At some point, however, the market will favor a product that offers better security.
Thats a message being taken to heart at Microsoft, which, by virtue of its high profile and market dominance, has seen its software products become the targets of frequent and occasionally successful attacks. Observes Steven B. Lipner (PMD 57, 1989), Microsofts director of security assurance, With organizations moving to a higher level of connectivity via the Internet, security has become a major issue for everybody, both suppliers and endusers. Lipner is in charge of Microsofts Security Response Center, which investigates suspected vulnerabilities and problems with the companys software and orchestrates immediate action (such as posting security patches) to deal with them. He is also involved in longerterm efforts to improve the security of all Microsoft products.
Aside from customer demand for security, Lipner explains, we believe that, for us, its an industry leadership issue. Over a year ago, Bill Gates put a stake in the ground and said were going to focus the company on trustworthy computing around the principles of security, privacy, availability, and business integrity. This is a major, long-term, company-wide initiative.
HBS professor Lynda M. Applegate examines cyber security issues as part of her MBA course Building Businesses in Turbulent Times. She sits on the advisory council for Nasdaq (for whom, she notes, cyber security is paramount) and formerly served as an advisor to President Clintons Commission on Critical Infrastructure Protection. Everybody is more aware of security and taking things more seriously in terms of accountability, she says. Since its almost impossible to fully protect any network structure, the key is to install systems, policies, and procedures to detect if anyone successfully intrudes, and then to know how to respond. Security is not just firewalls.
Indeed, a reliance on technological defenses can breed a false sense of security, since constant innovation and increasingly complex systems create perpetually moving targets. Anthony K. Tjan (MBA 1998), the cofounder and former EVP of ZEFER, the pioneering Internet consulting firm, is now a senior partner at The Parthenon Group, a Bostonbased consulting firm. He notes that with the rise of wireless networks has come a sometimes disturbing lack of security. In virtually any metropolitan center these days, unsecured hot spots can be found and exploited. It is, he says, an example of the twinheaded dilemma of new technology introducing better productivity and novelty into the workplace before fully understanding its implications, including security concerns. Tjan stresses that one of the most effective protections for firms is physically securing offices and equipment against unauthorized use, in conjunction with employee education with regard to protecting the organization and the workplace environment.
Veridians Langstaff concurs. For most companies, he says, Its amazing how large a percentage of cyber attacks are completely preventable by maintaining good systems and simple practices such as password rotation and installing patches for known vulnerabilities. Combined with oversight and regular review of policies and procedures throughout the organization, that should leave a company in good shape. But the responsibility for this standard has to be explicit and must be voiced at a level above the IT department.
Concludes Lynda Applegate, If companies are participating in and connected to the networked economy, they need to put in place the same level of security that they would for any vital resource. You dont have to be doing important business across boundaries to have somebody break in and do a significant amount of damage. Theres not a simple, onestop thing you can do whats required is the implementation by senior management of an entire set of organizational responses that address infrastructure, operations, controls, and processes.
Post a Comment
Related Stories
-
- 01 Dec 2022
- HBS Alumni Bulletin
Elevator Pitch: Common Knowledge
Re: Matthew Ross (MBA 2022) -
- 05 Oct 2022
- Digital Chosun
Inside the Chip Shortage
Re: Hidetoshi Shibata (MBA 2001) -
- 01 Jun 2022
- HBS Alumni Bulletin
Eyes in the Skies
Re: Amy Minnick (MBA 2000); By: Alexander Gelfand -
- 06 Dec 2021
- HBS Alumni Bulletin
HBS Curricula Explore the Complexities of Innovation
Re: Maren Hopkins (MBA 2019); Luis M. Viceira (George E. Bates Professor); Shane M. Greenstein (Martin Marshall Professor of Business Administration); By: Jennifer Gillespie