Jenny Durkan, Global Chair of the Cyber Law and Privacy Group at Quinn Emanuel Urquhart & Sullivan and former United States Attorney for the Western District of Washington, provided a thought-provoking keynote to cap “Business in the Age of Cyber Threats: A Forum on Cybersecurity” presented by the UW Foster School of Business and co-sponsored by Premera Blue Cross and Providence Health & Services. Durkan believes information security is a serious threat to business and government, and is a risk management problem that should have the attention of business leadership. She suggested while companies must be proactive in prevention efforts, they also must plan how they will address a data breach.
Other speakers included Premera President & CEO Jeff Roe (BA ’88, MBA ’97) Kirk Bailey, UW’s Chief Information Security Officer, Joseph Lindstom, General Manager for Information Security and Risk Management at Microsoft, and a panel discussion led by Julie Averill (MBA ’99), CIO at REI. The panel included Janice Newell, CIO at Providence Health & Services, Paul Moulton, CIO at Costco, Jeff Hussey (MBA ’91), CEO at Tempered Networks, and Foster School finance professor Jonathan Karpoff, holder of the Washington Mutual Chair in Innovation. The symposium was held at the new wǝɫǝbʔaltxʷ (Intellectual House) on the UW’s Seattle Campus.
Bailey discussed who is looking, and what motivates them. From ‘hacktivists’ who may be most interested in promoting a political agenda and/or gaining notoriety within the hacker community, to business competitors seeking to obtain intellectual property or strategic plans, criminal hacker networks who mine and sell consumer data, and state actors widely believed to include our own National Security Agency. Most startling to those present, Bailey recounted recently learning that computers could be hacked using only high-frequency sound with a technique called “covert acoustical networking.”
Microsoft’s Lindstrom reminded the audience of the importance of security hygiene. He said that the majority of the security compromises were the result of not having done three things:
- Patch Management—Carnegie Mellon’s Computer Emergency Response Team (CERT) estimates that 95% of network intrusions could be stopped by patching computers, routers and other network-attached devices.
- Identity and Access Management—Have policies and procedures to ensure that user accounts and access privileges are updated when an employee changes jobs and removed when they leave your company.
- Managing the network boundary—Audit and control what devices are connected and disable unused services to limit your exposure. Monitor traffic to identify unusual or unexpected data transfer.
The symposium was attended by more than 100 alumni and business leaders. According to Steven Hatting, the Foster School’s Associate Dean for Advancement, “Today’s discussion was timely and important. Businesses must think of cyberattacks in terms of ‘when’ rather than ‘if’ given estimated security events now number in the hundreds of thousands each year. The threat cannot be overstated, and it’s no longer an IT issue or even a boardroom issue. Every employee is part of a company’s defense.”
Guest post by Mick Westrick, Director of IT, Foster School of Business.