there are others who work outside
their business and ethical framework;
and (b) define security as a function
that works for you by supporting val-ue-creating business processes.
BEnnETT: One of the key considerations is motivation. The two main
business-attack motivations are
money/greed and reputation. People
behave differently according to their
motivation and the type of business
they’re attacking. Stealing factory operations know-how is different from
stealing information about the pricing of a product that’s about to be
launched. Both of these are very different from destroying the competition
by destroying its reputation.
As a business owner, you have to
ask, “In what ways am I vulnerable in
the electronic world? Who could attack me, why would they want to, and
what would they want to do?”
CLaRK: Is it the feeling around the
table that industry is more sensitized
to the confidentiality associated with
cyber attack, rather than treating
availability and integrity as equally
BoRG: Companies are sensitive to
the confidentiality of the information
they designate as intellectual property. They are not as sensitive to the confidentiality of their control systems,
their corporate email messages, or
just about anything else they are doing. They do not appreciate the scale
of the loss they can suffer from that
other information being accessed by
Jim Lewis ( http://csis.org/expert/
james-andrew-lewis) tells about a
relatively small regional furniture
company—not a business you think
of as having key intellectual properties—that became an international
target. This company had its furniture
designs stolen by a Southeast Asian
furniture manufacturer that went on
to undercut the price.
If you look at your company from
an attacker’s viewpoint, then you can
usually tell whether your company is a
target and what specifically would be
attractive. It is all about market-sector
leadership, anyplace where the company stands out—for example, technology, cost, style and fashion, or even
aggressive market expansion.
CLaRK: Many of our adversaries play
a very long game and do it very well. In
the U.S./U.K. style of business we get
caught up in quarterly or annual metrics and are not well educated in the
long game. Are we naïve in not thinking more about the long game?
BoRG: We have many people representing companies who are not properly incentivized to work in the company’s long-term best interest. They
are compensated on how they did that
quarter or that year and not on whether their actions will cause serious crisis four or five years down the road.
CLaRK: What advice can we give to
IT managers and business leaders to
mitigate these threats? Part of the answer is that we need broader education about the nature of threats and
we need to understand the long game.
I see the attacks on the furniture manufacturer as a long-game play. One
waits until the target is ripe for picking, takes it, and moves on.
CREEGER: There is a lot of inertia to
making changes in IT to address these
issues. What suggestions do you have
that would empower an IT person to
say to management: “The survival and
success of our business depends on
you listening to my issues and acting
on my recommendations.”
noRTon: It has to be done through
examples, and people don’t want to
publicize their attack problems.
BoRG: My organization has been
warned that we can tell these stories,
but if we ever get specific enough that
someone can identify one of these
companies, then the executives of
those companies will be sued by the
shareholders, the executives will sue
us, the supposed beneficiaries of the
attacks will sue, and their business
partners will sue as well.
CREEGER: How are we going share
our collective wisdom?
noRTon: We can use the airline industry as a model. If you’re a pilot of
a plane that has a near miss, you can
create an anonymous statement about
what happened, when it happened,
and so on.
CLaRK: I can give an example of a
breached business that was responsible for placing contractors in high-tech organizations. All of its data
was based around individual CVs.
An employee at that company chose
to extract that data using a USB flash