Businesses face growing threat of cyber attacks
Companies must encourage employees to report unusual activity, expert says
Many corporations remain unaware of the threat a cyber attack poses to their organizations until it is too late, executives at a business conference in Banff were warned Thursday.
Microsoft’s Chris White told the crowd at the 2018 Global Business Forum that cyber warfare represents the “next frontier” for organized crime, state-sponsored espionage, hacktivists, and anarchists. But many companies remain blissfully ignorant of the risks, only finding out after an attack has been successful that their proprietary technology, financial information or customer data has been exposed.
White, whose team develops software for data analysis aimed at helping to fight digital crime and worldwide tech scams, pointed to U.S. energy giant Marathon Oil, which was subject to a series of sophisticated cyberattacks in 2008. The attacks, which originated from Chinese servers, targeted company-held information about oil deposits. But Marathon didn’t realize it had been attacked until it was alerted by the FBI in 2009.
White also pointed to a Canadian example, Nortel Networks.
“There were no reports of holes or bullet holes in Nortel — and then it turned out the company had been infiltrated for a decade and then it fell to pieces,” White said. “There are many, many examples like this where after the fact … only then do you find out there was hacking.”
The global risk posed by cyber warfare means if companies are not talking about the issue at the C-suite and board level, they should be, said Janice Hamby, a retired U.S. Navy rear admiral and past chancellor of the United States National Defense University College of Information and Cyberspace.
Hamby told the Banff audience that although executives are not required to be technical experts when it comes to cybersecurity, they are responsible for knowing the risks and demonstrating leadership by taking steps to mitigate them. Executives have a responsibility to their shareholders and customers to take simple protective measures, including making sure all devices connected to company networks are accounted for and available security patches are installed.
Executives should also be aware of where the “crown jewels” of their company — the valuable proprietary information and customer data — are stored on the network and where all the access parts to that information are. And they should understand how company information systems are backed up and how the information would be recovered in the event of an attack.
Companies also need to encourage employees to come forward if they notice something unusual on the network, Hamby said.
“You need to have a culture that is ready to accept and hear from someone who says, ‘I clicked on an email that I shouldn’t have,’” she said. “Because the faster they ’ll report that sort of thing, the faster you can clean it up.”
Finally, Hamby said even if companies haven’t yet experienced a significant cyber attack, they should have a response plan ready for when they do. They need to be able to communicate to clients, shareholders and the public what happened, what the damages are and how it is being remedied.
“There are two kinds of organizations. Those that have been penetrated and those who don’t know they’ve been penetrated,” Hamby said. “So you need to have a response ready to go, you need to rehearse it and you need to have senior leadership be part of those rehearsals.”
The theme of this year’s Global Business Forum is “Seizing Opportunities While Managing Risk.” The forum continues Friday at the Fairmont Banff Springs.
Because the faster they’ll report that sort of thing, the faster you can clean it up.