“There are only two kinds of companies in the United States: those who have been hacked and know it, and those who have been hacked and do not know it.”
Thus spake Richard Clarke, consultant to US presidents, at an October 10 joint breakfast meeting of the Greater Boston Chamber of Commerce and NACD New England.
Also on the panel: Art Coviello, EVP at EMC; Chris Goggans (billed as “one of the world’s most famous hackers” and now vice president of a security consulting firm); moderator Jeff Brown, Chief Information Security Officer for Raytheon. A subsequent blog will address appropriate director response; below are highpoints of the panel:
- Any company’s system can be hacked. Hacking should be viewed as a risk management issue; what are the “crown jewels” of information that must be protected, and how can you protect that information?
- IT systems are dynamic and changing, with proliferation of devices accessing the internet and your company. Thus no preventative program is fool-proof.
- Every company should have a “warning system” that monitors information systems continually, to find the hack early and thus reduce the “dwell time” during which the hacker is sitting in your system.
- Certain foreign governments (China and Russia were mentioned) hack US companies and turn over trade secrets to their own domestic companies.
- While at least one major company does not “go to the cloud,” because the cloud broadens the “attack surface” over which an intrusion can occur, smaller companies may be well served in the cloud because they may thus benefit from cloud-based security services they could not otherwise afford.
- If you suffer a “material hack,” the SEC requires disclosure by public companies. Forty-eight states require notice to customers if their personal information is compromised. Contractual arrangements may require cyber network protection, mediation and indemnification from counterparties.
- Publicity for a company that has been hacked can be devastating; you need a plan not only to limit or shorten hacks, but also to deal with the press, the general public and your important constituencies such as customers.