By Jeff Welgan, Head of Executive Training Programs, CyberVista
This is the fourth post in a six part series about cybersecurity risk. Each week we discuss a different category of enterprise risk and how cybersecurity impacts those risks at the board and executive level. This week we focus on Strategic Risk, represented by the nature disaster of fire. Use the links below to access the other articles in the series:
Part One – Introduction
Part Two – Financial Risk
Part Three – Compliance Risk
Playing with Fire: HBGary Federal Gets Burned by Anonymous
Ashes to Ashes
Security company HBGary Inc. boasted nearly a decade of experience in the technology and security industry. The company was well-respected, published analyses of high-profile hacking incidents, developed software for computer forensic investigations, and briefed audiences at security conferences. Despite a crowded marketplace, the Washington-based firm’s initial successes prompted the launch of a subsidiary company, HBGary Federal, which sold products and services exclusively to the U.S. Government.
Yet, in a cyber attack lasting only a few hours, the company suffered irreparable damage to both its reputation and long-term business goals, the twin underpinnings of strategic risk.
On February 6, 2011 – Super Bowl Sunday – a team of seven hacktivists used social engineering tactics to compromise HBGary’s systems. Nothing was off-limits to the attackers. Not only did they publish internal communications, delete backups, and deface public-facing websites; but they also remotely wiped CEO Aaron Barr’s personal iPad and erased his level 90 World of Warcraft profile.
The fire spread to social media. On Twitter, Barr lost control of his private account, where hackers (posing as Barr himself) posted profanity-filled tweets and threats, as well as Barr’s Social Security number and address. On the Pirate Bay, a popular torrenting website, the attackers circulated 50,000 internal emails, containing proprietary information, the Stuxnet source code (more to come on this in a later post), and less-than-professional exchanges between employees.
A webpage defacement message mocked HBGary Federal on their own public site. Signed by “Anonymous,” the final sentence read: “It would appear that the security experts are not expertly secured.”
HBGary Federal attracted the attention of Anonymous weeks prior to the incident, when Barr claimed to know the identities of the Anonymous participants and prepared to release their names during an upcoming cybersecurity conference. The devastating attack was launched in retaliation for Barr’s comments and threat.
In a revealing moment, the CEO and the President of HBGary Inc. – Greg Hoglund and Penny Levy – showed up in an Anonymous IRC channel to plead (in vain) for mercy.
<+greg> so you got my email spool too then
<&Sabu> yes greg.
<@`k> greg we got everything
<+greg> you realize that releasing my email spool will cause millions in damages to HBGary?
<+Agamemnon> yes we do greg
<@`k> greg [th]is will be end of you :) and your company
Hoglund’s comments focus on the financial damage caused by the disclosure of information assets. However, the biggest problem facing HBGary had to do with a different risk category entirely.
Third Degree Burns
In the days following the incident, HBGary’s industry peers were quick to distance themselves from the still-smoldering wreckage.
One year later, HBGary Inc. was absorbed by ManTech International (purportedly at a fraction of its original value) and HBGary Federal was closed. Aaron Barr was forced to resign. In an interview with ThreatPost he said, “I need to focus on taking care of my family and rebuilding my reputation.”
Barr recognized what cost him his job, and his company’s existence: a destroyed reputation. The HBGary hack highlights the fact that public scrutiny and embarrassment can be as damaging – perhaps more damaging – than the loss of intellectual property and customers’ personally identifiable information (PII). Reputation is, as Shakespeare called it, “the immortal part” of an individual or business.
HBGary’s fate also represents the worst-case scenario in terms of long-term business goals: HBGary Inc. was absorbed and HBGary Federal was totally shut down. Barr’s company was unable to survive the public scorn and distrust produced by both the breach and the company’s response. Even if your company does not burn to the ground, a breach can undo decades of painstakingly won customer loyalty and public trust in a matter of hours.
A Flame-Retardant Strategy
HBGary Inc’s nightmare episode represents the extreme consequences of failing to mitigate strategic risk. As with other risk areas, there are actions and plans you can take to protect yourself from the consequences of strategic harm:
- Have a stakeholder and external communications plan. Poor crisis communications can exacerbate the issue and cause the public to lose faith in both the competence and leadership of an organization. Part of this plan should be to identify company spokespersons. If these representatives are not communications professionals, then they should be guided by crisis communications experts.
HBGary’s senior management erred in their communications response. The CEO and Director took the unprecedented action of pleading with the attackers and asking them to relent. This ill-advised communications response worsened HBGary’s reputational damage and further undermined customers’ confidence in the organization. While executives made unprepared online appearances, the company as a whole went dark following the hack. They canceled public events and withdrew speakers from conferences, citing employee safety concerns.
- A disaster recovery strategy is another way to mitigate the damage of a cyber incident on strategic operations. A disaster recovery plan helps organizations identify critical assets and adopt appropriate response protocols. Questions such as “what applications and systems are critical to accomplishing the mission of the organization?” and “What are the priorities when we are returning to normal business operations?” will help you return to normal business operations as quickly as possible. Protection and response protocols should be part of the conversation when you are identifying critical assets.
From their scrambled response, it seems HBGary never adopted a disaster recovery strategy. Even if they did have a response in place, it doesn’t appear as if they practiced it or that they considered the possibility of their internal documents and intellectual property being exposed through digital hampering.
- Public trust can be won back. Oftentimes, proactive communication and gestures of goodwill can restore customers’ satisfaction and faith in an organization and its ability to recover. Examples include:
- Prompt notification procedures that ensure victims are aware of new developments and any outstanding potential dangers
- Setting up call center support so that affected individuals can stay informed and receive guidance from your organization on self-protection methods
- Free credit monitoring and identity theft protection services
- Discounts and free products to retain customer loyalty
Strategic Risk is the risk area with the potential to do the most harm. It is crucial your company has a response plan (including a communications strategy) in place to minimize damage and restore stakeholder faith.
When Barr announced his resignation from HBGary he added, “I’m confident they’ll be able to weather this storm.”
Unfortunately for Barr and HBGary, they weren’t facing a traditional storm; they were facing a firestorm. And properly weathering a storm of any kind doesn’t happen after the storm has already hit. By the time HBGary got the fire-proof shutters and panels in place, it was too late. The fire had destroyed their reputation, along with their business.
Cyber-related risks evolve quickly and can affect your entire organization. Understand your strategic risks and plan accordingly. Need more training? Contact us. CyberVista provides training in the boardroom, at board and executive retreats, and in workshop settings.
Stay tuned for the next blog in this series covering Operational Risk.