The failure of enterprise to prepare for cyberattacks

Late last month, Zeitgeist went with friends to his local theatre to see “Teh [sic] Internet is a Serious Business”. The play, a story of the founding of the hacktivist group Anonymous, was the most well-publicised dawn of cyberattacks on businesses and governments. The organisation, at its best, set it sights on radical groups that promoted marginalisation of others, whether that was the Church of Scientology in the US or those trying to dampen the Arab Spring in Tunisia. This collective, run by people, some of whom were still in school, showed the world how vulnerable institutions were to being targeted online. We wrote about cybersecurity as recently as this summer, summarising the key points in a recent report from The Economist on what was needed to mitigate against future attacks and how to reduce the damage such attacks inflict. The issue is not going away (and in fact is likely to become worse before it gets better).

It was back in January that management consultancy McKinsey produced a report, ‘Risk and responsibility in a hyperconnected world: Implications for enterprises’, where they estimated the total aggregate impact of cyberattacks at $3 trillion. There is much to be done to avert such losses, but the current picture is far from rosy. Most tech executives gave their institutions “low scores in making the required changes”, the report states; nearly 80% of them said they cannot keep up with attackers’ – be they nation-states or individuals – increasing sophistication. Moreover, though more money is being directed at this area, “larger expenditures have not translated into an increased maturity” yet. And while the attacks themselves carry potentially devastating economic impact on a company, their prevention comes at a price too for the business, beyond the financial. McKinsey reports that security concerns are delaying mobile functionality in enterprises by an average of six months. If attacks continue, the consultancy posits this could result in “a world where a ‘cyberbacklash’ decelerates digitization [sic]”. Revelations about pervasive cyberspying by Western governments on their own citizens could well be a catalyst to this. Seven points are made in the report for enterprises to manage disruptions better:

1. Prioritise the greatest business risks to defend and invest in.
2. Provide a differentiated approach to defence of assets, based on their importance.
3. Move from “simply bolting on security to training their entire staff to incorporate it from day one into technology projects”.
4. Be proactive; develop capabilities “to aggregate relevant information” to attune defence systems
5. Test. Test. Test again.
6. Enlist CxOs to help them understand the value in protection.
7. Integrate risk of attack with other corporate risk analysis

Given the amount of business and social issues that involve digital processes – “IP, regulatory compliance, privacy, customer experience, product development, business continuity, legal jurisdiction” – there is a huge amount of disagreement about how much state involvement there should be in the degree to which enterprises must take steps to protect themselves. This is an important point for discussion though, and we touched on it when we wrote about cyberattacks previously.

But that report was way back in January, things must have solved themselves since then, right? Last week, PwC reported that corporate cyber security budgets are being slashed, even while cyberattacks are becoming far more frequent. The FT reported that global security budgets fell 4% YoY in 2014, while the number of reported security incidents increased 48%. Bear in mind these are only reported incidents. This is potentially no bad thing, if we’re to go by McKinsey’s diagnosis of too much money being thrown at the problem in the first place. At the same time, it’s not exactly comforting.

Only a few days after PwC’s figures were published, JP Morgan revealed that personal data for 76 million households – about two-thirds of total US households – had been “compromised” by a cyberattack that had happened earlier in the year. Information stolen included names, phone numbers and email addresses of customers. It was also revealed that other financial institutions were probed too. Worryingly, the WSJ reports that investigators disagree on what exactly the hackers did. It was also unclear who was to blame; nation state or individual. Such disagreements over the ramifications of the attack, the identity of the attackers as well as the delayed revelation of the attack itself, illustrate just how necessary transparency is, if such attacks are to be better protected against and managed in the future.

For those in London at the end of the month, The Economist is hosting an event for those who apply, on October 21, examining “how businesses can and should respond to a data breach, whether it stem from a malicious insider, an external threat or simple carelessness”. Hope to see you there.

How the Obama 2012 campaign harnessed tech to win votes

Last night, at the Royal Automobile Club on London’s Pall Mall, Zeitgeist was fortunate enough to hear Harper Reed, the Chief Technology Officer of the Obama 2012 US presidential campaign speak candidly about how he helped get out the vote and keep the Democrats in the White House. Harper is ex-Threadless, the famous T-shirt company that lets users contribute their own designs, with the most popular becoming actual products sold the world over. It’s a democratic philosophy, one that understandably caught the attention of the campaign committee. It is also the kind of thinking that cities like New York and Chicago are starting to employ; actively gathering, analysing and distributing data to inform policy implications and help citizens. What follows is a brief summary of his thoughts and points that Zeitgeist found interesting.

Harper began the talk with the fundamentals, discussing how, when he arrived, the campaign seemingly already had much of the data gathering resources needed to achieve what he wanted. The trouble was it as all siloed. Putting all the data together was a major step in the right direction, toward cohesive data analysis. He elaborated, saying they went from having fifteen different numbers for doors that needed to be knocked on, to one. On hiring the right people for the task at hand, Harper was explicit in noting that they had hired tech people and taught them about politics, rather than the other way around. He riffed on the state of journalism, saying it was similarly important when hiring journalists that know about tech.

One of the more interesting insights Harper talked about involved the target demographics. Those most likely to vote are male or female 18-28, and women perhaps in her 50s. The younger group is adept and comfortable with all digital platforms, but still uses paper a fair amount. Paper, by contrast, is an essential medium for that middle-aged female voter. So the insight was about making paper use more efficient, given these groups’ use of it. Understandably this was a hard decision for a group of very tech-minded people to arrive at, but the acknowledgement showed they were willing to park their own pre-conceptions on how things ought to be done.

Like many startups, they were constantly trying to fail in order to create redundancies. This involved hosting hackathons where code was obsessively broken and then reconstructed, “ensuring things would break in ways we understood”, as Harper put it. They had the same approach with the content they published, aggressively testing every piece to make sure it was relevant and engaging for the intended audiences. What they failed to foresee was the Internet activist group Anonymous launching a DDOS attack the day before the election to coincide with Guy Fawkes day, which helped trigger a meltdown over at Amazon’s cloud servers, AWS. Harper made it sound like not too much trouble to switch the servers from the East Coast where they had been affected, to the West Coast, but the experience must have been a stressful one.

Lastly, he offered an opinion increasingly shared by many in the industry, which was a reluctance to talk of mobile device use as “second-screening”. Mobile devices, Harper pointed out quite rightly and obviously, are the first thing you look at when you wake up, the last thing you look at when you go to bed, and the thing you’re actually looking at when you’re supposed to be watching TV. Mobile first should always be the initial mindset.

In questions, Ruth Porter asked whether there were any pearls of wisdom that could be applied to those in UK politics and how they go about with their own strategy of getting out the vote. Harper conceded he had met that day with a party “whose name starts with ‘L'”, and believed that what was key was investment, commitment and belief from the very top in what social and data could do for the campaign. Without that, such efforts would amount to nothing. The lessons of the Obama 2012 campaign – and the pitfalls of Romney’s campaign – offer valuable lessons for political parties, but it seems any efforts at cherrypicking ideas or going in half-hearted would doom any prospect of leveraging what the Obama team were able to do.

Any success in Harper’s tech strategy must be qualified against the sheer unpopularity of Obama’s rival candidate