Communications - December 2010

mache Creeger Steve Bourne Louise Bennett Jeremy Epstein

there are others who work outside their business and ethical framework; and (b) define security as a function that works for you by supporting val-ue-creating business processes.

BEnnETT: One of the key considerations is motivation. The two main business-attack motivations are money/greed and reputation. People behave differently according to their motivation and the type of business they’re attacking. Stealing factory operations know-how is different from stealing information about the pricing of a product that’s about to be launched. Both of these are very different from destroying the competition by destroying its reputation.

As a business owner, you have to ask, “In what ways am I vulnerable in the electronic world? Who could attack me, why would they want to, and what would they want to do?”

CLaRK: Is it the feeling around the table that industry is more sensitized to the confidentiality associated with cyber attack, rather than treating availability and integrity as equally important issues?

BoRG: Companies are sensitive to the confidentiality of the information they designate as intellectual property. They are not as sensitive to the confidentiality of their control systems, their corporate email messages, or just about anything else they are doing. They do not appreciate the scale of the loss they can suffer from that other information being accessed by an outsider.

Jim Lewis ( http://csis.org/expert/ james-andrew-lewis) tells about a relatively small regional furniture company—not a business you think of as having key intellectual properties—that became an international target. This company had its furniture designs stolen by a Southeast Asian furniture manufacturer that went on to undercut the price.

If you look at your company from an attacker’s viewpoint, then you can usually tell whether your company is a target and what specifically would be attractive. It is all about market-sector leadership, anyplace where the company stands out—for example, technology, cost, style and fashion, or even aggressive market expansion.

CLaRK: Many of our adversaries play

a very long game and do it very well. In the U.S./U.K. style of business we get caught up in quarterly or annual metrics and are not well educated in the long game. Are we naïve in not thinking more about the long game?

BoRG: We have many people representing companies who are not properly incentivized to work in the company’s long-term best interest. They are compensated on how they did that quarter or that year and not on whether their actions will cause serious crisis four or five years down the road.

CLaRK: What advice can we give to IT managers and business leaders to mitigate these threats? Part of the answer is that we need broader education about the nature of threats and we need to understand the long game. I see the attacks on the furniture manufacturer as a long-game play. One waits until the target is ripe for picking, takes it, and moves on.

CREEGER: There is a lot of inertia to making changes in IT to address these issues. What suggestions do you have that would empower an IT person to say to management: “The survival and success of our business depends on you listening to my issues and acting on my recommendations.”

noRTon: It has to be done through examples, and people don’t want to publicize their attack problems.

BoRG: My organization has been warned that we can tell these stories, but if we ever get specific enough that someone can identify one of these companies, then the executives of those companies will be sued by the shareholders, the executives will sue us, the supposed beneficiaries of the attacks will sue, and their business partners will sue as well.

CREEGER: How are we going share our collective wisdom?

noRTon: We can use the airline industry as a model. If you’re a pilot of a plane that has a near miss, you can create an anonymous statement about what happened, when it happened, and so on.

CLaRK: I can give an example of a breached business that was responsible for placing contractors in high-tech organizations. All of its data was based around individual CVs. An employee at that company chose to extract that data using a USB flash