MBA Alumni Lounge
Not only top managers but also employees, more often than not, make light of the risk of cyberattacks. Their rather relaxed attitude towards the issue can be very dangerous, though. On the occasion of this year's last MBA Alumni Lounge, which took place at Erste Campus on November 22, 2018, experts explored the question of what businesses absolutely need to do when it comes to successfully protecting themselves against cybercriminals.
Scenario 1. You are the CEO of Credit Homeland Bank. Recently, your bank took over Grayland, a fintech outfit. In the future, clients seeking to take out loans will be required to meet stricter requirements. And all of a sudden it happens.
The bank's website has been hacked. “Go home, let people live in peace.” it says in huge letters. How will you react?
Scenario 2. You hold the position of prime minister. The tap water in a region of your country is contaminated. A cyberattack has caused a water-treatment plant to malfunction. More and more people end up hospitalized in life-threatening conditions. How will you react?
These are questions that gave the approximately 100 audience members attending the WU Executive Academy's MBA Alumni Lounge on the topic of “Companies under Cyberattack” plenty of food for serious thought; questions that were raised in the course of a simulation by BHC Laboratory, a cybersecurity agency; and questions that are addressed all too rarely in boardrooms across the country.
According to Kapsch BusinessCom's cybersecurity report, the worldwide number of cyberattacks on businesses increased by 40% between 2016 and 2017. Experts say there is a great risk that cybercrime does not get talked about. “We see TV coverage of wars in Afghanistan and Syria, but cyberwar remains invisible to us,” explained Lauri Allman, Board Member of BHC Laboratory. He has dealt with a wide range of cyberattacks in his career; BHC's clients include international groups and governments. “Cyberattacks on businesses happen every day, and they are of concern not only to IT departments but, to a considerable extent, also to management,” he continued, adding that a company's values and reputation as well as its ability to act were at stake, after all. “That's why doing such simulations is so important. It helps you be prepared if the real thing happens,” said Lauri Allman, stressing that PR divisions too needed to be sensitized to this issue.
The event also featured a panel discussion of top managers at the beginning of which the panelists explored the question of how to specifically deal with cyberattacks on businesses. “Most managers underestimate the impact of such attacks,” said Jochen Borenich, COO of Kapsch BusinessCom, which provides cybersecurity IT services for SMEs and corporate groups. According to him, it takes businesses an average of 175 days to notice they have fallen victim to cyberattackers. Thomas Stubbings, Chairman of the cybersecurity platform of the Austrian government, also took the view that corporate managers should become more proactive about this issue: “There is widespread ignorance. The reason cybercriminals are so successful is that businesses fail to take basic steps to protect themselves.” He went on to stress it was a misconception to assume that smaller businesses were less likely to be attacked by cybercriminals: “Everyone's at risk. What cybercriminals are interested in is not market capitalization but the lack of adequate protection.” Lauri Allman pointed out the huge differences in terms of quality and price tag that exist between the cybersecurity solutions available on the market.
While addressing top managers, Reinhold Wochner, Head of Group Security Management at ERSTE Group, said: “If those at the top don't follow the basic rules, those further down the hierarchy won't do it either.” Moreover, he highlighted how difficult it was to find competent IT specialists: “There is a skills shortage on the market.” Jochen Borenich agreed, adding that, as a result, businesses frequently outsourced cybersecurity-related matters to IT service providers such as Kapsch BusinessCom. He also mentioned that the risk of cyberattacks was rapidly increasing as more and more products and services relied on digitization: “According to a report by Cisco, some 50 billion connected devices will be linked to one another over the Web by 2020.”
Thomas Stubbings pointed out that the main target of almost all cyberattacks were humans. Reinhold Wochner commented it was astonishing that so many people fell victim to phishing e-mails. And Lauri Allman stressed that in 69% of cases attacks succeed also, and indeed in particular, because after falling into such traps employees were reluctant to share important information about them because they felt embarrassed. According to an online survey that he has launched and that more than 200,000 users have completed so far, 77% of the respondents would be willing to use somebody else's USB flash drive, and 90% would even use one they have found, provided it carries a logo.
Erste Bank had, thus, developed “George”, a smart online banking alternative providing the group's retail clients with secure solutions, explained Reinhold Wochner. “If we notice irregularities in a company's IT system, we help it fight cybercrime,” he continued.
Thomas Stubbings said that by now the EU had come to understand that cyberattacks were a real threat. He mentioned the example of NotPetya, a piece of malware that caused considerable damage in Europe last year. International companies were paralyzed by NotPetya. At Maersk, a shipping company, 45,000 computers all of a sudden stopped working, for instance. “There was only one computer not connected to the network. It was located in Ghana and had a domain controller, which is, if you like, a backup,” Thomas Stubbings recounted. Thanks to this backup, it was possible to restore a lot of data. Ukraine was massively affected as well, with attacks being launched on, for example, two airports, four hospitals and six electricity providers.
During the subsequent Q&A session, an audience member asked what to do if the awareness was there but the funds available for cybersecurity were limited. “Think of the worst-case scenario, and try to do something against it by taking the steps that matter the most,” Thomas Stubbings advised her, adding as an afterthought: “This does not have to cost a fortune.”