The San Francisco transport system's payment software was hacked in 2016

Listen to this article

00:00
00:00

Tax inspectors, the fraud squad, the regulator’s enforcement director. Latterly, chief executives have had to add a new group to the list of people they would rather not hear are waiting in the lobby: secret agents.

When MI5 or the Federal Bureau of Investigation tells a company that hackers have attacked, it does not surprise me to learn that the boss’s first reaction is self-preservation. Chief executives figure they need not worry about the theft of valuable intellectual property, because the repercussions may not hit until their successor is in charge, if they hit at all. So law enforcers sometimes include a few of the chief executive’s stolen personal emails in their dossier for him or her: it tends to concentrate their minds.

Their tactic points to two factors that are increasingly vital in handling malicious hacking. First, the main weaknesses in most organisations are not technological — flammable firewalls, shaky software — but human. Second, the quest to improve cyber security will unearth management defects: in this case, the extreme short-termism and self-interest of the CEO.

Since a villain pressed send on the first phishing email, the human factor has played a part in cyber plots.

So-called Nigerian scams — where the widow of a general promises you money to help transfer their fortune — are crude for a reason: the gullible few who believe the first letter are most likely to swallow the whole tale.

More recently, criminals have started fabricating attacks, to extort money from a company or destabilise its share price. Again, the approach exploits basic human frailty. As a senior executive, you may well not know whether the hack is real or not (it still takes at least 99 days for companies to discover a breach, says consultancy Mandiant), so are you prepared to risk denouncing the news as fake?

You may by now be hunched in your office, gibbering in helpless paranoia. But on the assumption all big companies are under hostile cyber fire all the time — Volkswagen said last year it was facing 6,000 attacks a week — you would be better recasting the threat as an opportunity.

As Amitava Dutta and Kevin McCrohan of George Mason University wrote presciently in 2002, in the early days of cyber risk, “information security is not a technical issue; it is a management issue”. Leadership, culture and structure (or lack of them) have a “significant impact” on what happens in an attack. So reassess your company’s priorities. The theft of research data may not hurt in the way a cyber-burglary of your private emails does, but it is far more material to the long-term health of the company.

Spring-clean your structure. Finding out what information you hold, and where, is an excuse to declutter subsidiaries as well as servers.

Update lines of communication, internal and external, and re-examine what your response will say about your attitude to different interests. Yahoo failed for two years to disclose a huge security breach as it sought to sell its core business, inviting criticism from users, investors and watchdogs.

Make sure your staff are engaged. Carelessness about security may suggest waning loyalty and lead to recklessness and, worse, malevolent attacks from the inside.

Review your network. Suppliers’ lax controls could easily spread infection to your company.

Finally, get ready. Executives’ first reaction to a breach is often “Who did this to me?”, followed by a search for the “guilty”, Dave Palmer of Darktrace, a cyber technology group, told a recent FT125 debate. Others succumb to what one lawyer called “decisive inertia”, or default to the wrong response, a bit like the mayor of Amity, the fictional seaside resort in Jaws, who kept the beach open for the good of the city while ignoring growing evidence of lethal shark activity.

By contrast, when San Francisco’s public transit system was held hostage by cyber attackers last year, managers could decide quickly to open the gates and allow free travel. But if hackers had compromised safety rather than payments, the correct decision would have been to close the network.

Elizabeth Corley, vice-chair of Allianz Global Investors, told the same FT125 delegates that boards were going through “a revolution”. Good cyber security, like worker health and safety, is becoming obligatory, she said.

Her comment reminded me of how, as new chief executive of Alcoa, Paul O’Neill focused the aluminium manufacturer on improving worker safety in the 1980s. Investors were perplexed. But Charles Duhigg recounts in The Power of Habit that the policy triggered “a chain reaction . . . that lifted profits”.

In the same way, hackers may be inadvertently performing a useful service: prompting executives to patch the human weaknesses at the heart of their organisations.

andrew.hill@ft.com

Twitter: @andrewtghill

Copyright The Financial Times Limited 2017. All rights reserved.
myFT

Follow the topics mentioned in this article

Follow the authors of this article