Into the Breach: Integrating Cybersecurity into the Business Curriculum
By Mark Weiser and Carolyn Conn
December 20, 2016
As more companies suffer data breaches, it has become imperative for business faculty and students to know how organizations can protect themselves from hackers.
YOU DECIDE TO STEP OUT FOR LUNCH with faculty colleagues. You coordinate plans via your Verizon cell phone after first using Windows 10 on your laptop to look up your LinkedIn contacts. You debate going to Wendy’s, but decide to try Noodles & Company instead. You stop for cash at the ATM, then settle in at the restaurant to enjoy a steaming bowl of pad thai. You are probably unaware that each company and network you accessed during your outing was a victim of a major data breach announced during one two-week period in 2016.
Many people believe identity theft is limited to a small number of unlucky consumers. But 15 million people had their Social Security numbers stolen from Experian, and 40 million Target customers saw their credit information sold on the black market. These days almost any issue of The Wall Street Journal or Bloomberg Businessweek highlights a security breach and the havoc it has wreaked on a company, nonprofit, or government agency. Antivirus company McAfee estimates that 0.6 percent of the U.S. GDP is attributable to cybercrime alone, and America is nowhere close to being the global leader in this nefarious and burgeoning industry.
Almost every day seems to include a news story about a data leak that impacts thousands—sometimes millions—of companies and consumers. Your one lunch excursion could set you up for identity theft for months or years to come. You feel less anxious about the threat because you know that corporations typically offer free credit monitoring to customers whose data is breached, and you know that the big-three credit bureaus would have your account on a security alert. That is, until you realize that Equifax, one of those credit bureaus, also reported a major leak in the same two-week timeframe. One of the other three, Experian, had a breach the year before.
No sector is immune to cyber threats. The fallout for a company may include plunging stock prices, distrust of top managers, and news stories about how corporate carelessness led to elderly grandmothers losing all their savings. More repercussions can follow if stakeholders and the media start asking questions about operational data integrity, imperfect cybersecurity, and other vulnerabilities.
And, yet, even though cybersecurity is a growing concern to businesses, it still is not a mainstream subject at business schools. We argue there are three reasons business schools should care about cybersecurity. First, business students themselves may be the targets of cybercrime even before they attend freshman orientation. A study from Carnegie Mellon revealed that roughly 10 percent of children are victims of cybercrime, and that children are 51 times more likely than adults to be victimized.
Second, the exponential growth of hardware and software technology has combined with a seemingly unquenchable demand for mind-boggling amounts of data, and virtually every discipline in the business school is racing to incorporate big data into its curriculum. A great deal of data is being captured even though we have no current use for it—but storing it comes with increased risk of exposure to cybercrime.
Third and most important, cybercrime might be one of the greatest threats to economic stability around the world. Even so, most company leaders do not seem as worried as they should be. In 2015, the Ponemon Institute, a consultancy firm that focuses on privacy and security, conducted a global impact study that compared the financial risks for tangible and intangible assets. Of the companies in the study, 37 percent had experienced a data security breach in the previous 24 months, with an average total impact of US$2.1 million. Yet only half the firms indicated they became more concerned about cyber liability.
Along the same lines, a 2016 study by accounting firm PwC found that only 37 percent of firms have created a cyber incident response plan and fewer than 50 percent of board members request information about their firm’s cyberreadiness.
PwC also compiled a list of the most common economic crimes, and these included asset misappropriation, bribery and corruption, procurement fraud, and accounting fraud. But cybercrime is now No. 2 on PwC’s list of the most-reported economic crimes, and all indications are that its cost will increase in coming years.
Technology has been incorporated into a vast new array of products and services, yet companies do not realize how vulnerable they are to cyber threats. Hackers have taken over a talking Barbie doll, a Wi-Fi enabled sniper rifle, and the transmission and braking systems of a 2014 Jeep Cherokee.
It is inevitable that, in the future, more and more products and services that have never before utilized network technology will begin to do so. Who will be overseeing the development, financing, production, marketing, accounting, and risk management of these products? Our business school graduates. They must be prepared to protect their own financial security, as well as everything they are responsible for in their careers—the products they work on, the cyber assets of their employers, and the information security of their customers.
Just as we have integrated sustainability, ethics, and global responsibility into our curricula, we now must incorporate cybersecurity. Business students do not need to become IT specialists who know how to program computer chips. But they must understand that whether they work in a one-person startup, a regional nonprofit, or a multinational conglomerate, their organization relies on technology, data, and connectivity. And it is vulnerable to cyber threats.
THE ROLE OF B-SCHOOLS
To gain a working knowledge of the risks posed by today’s ubiquitous technology, business students must become “cyber savvy.” They must understand the pervasive nature of cyber threats; the wide variety of potential attacks; the financial and operational impact of cyber breaches; the basic practices to employ to achieve cybersecurity, both personally and professionally; and the costs and benefits that come with providing robust security—or choosing not to.
Cybersecurity is important enough that it was recognized in AACSB International’s 2013 Accounting Standards. In particular, standard A7 calls for schools to develop skills that integrate technology into accounting and business, specifically through creating, sharing, analyzing, mining, reporting, and storing data. Each of these areas implicitly includes a significant cybersecurity component to ensure accuracy, privacy, and value of the outcomes. The standard was established for accounting programs, but it serves as an important guide for all business programs.
While each business school faces pressure to add topics to an already packed curriculum, cybersecurity is too important to ignore. Here are ways to include it in business programs:
Commit to the importance of cybersecurity. Two important steps are to incorporate cybersecurity into the mission and to appoint a champion.
Examine the core. The standard business core usually includes a computer competency class, which might cover a suite of office software and include a broad overview of information systems. At least one-third of this class could be redirected toward teaching critical and practical IT security concepts.
Embed relevant cases directly from today’s news. A major technology breach makes the news on at least a weekly basis. These news items will provide ample fodder for real-time discussions about the impact of cyberattacks.
Collaborate with colleagues across all disciplines. For instance, consider creating a class offered jointly by the MIS and accounting departments. Use it to explore the critical importance of data integrity, how it might be violated, what the resulting impact might be, and how to defend against threats.
Team with career services and recruiters. Corporations are aware of the importance of IT security and will embrace better-informed graduates entering the workforce. Consider beefing up cybersecurity efforts by finding private funding to support development, scholarships, and faculty training.
In addition to incorporating cybersecurity into the curriculum, schools can heighten awareness of the importance of cybersecurity if they take these actions:
Train the trainers. Make sure faculty understand the perils implicit in sharing passwords, overusing social media, and underestimating the vulnerability of technology.
Model good cyberbehavior. Do not ask students to share registration passwords with advisors just to make the process go more quickly. Do not give administrative assistants your system user credentials so they can process your travel requests. Overtly demonstrate the importance and benefits of following best practices in cybersecurity.
Encourage a cybersecurity mindset. Today’s students share some of their most private moments in publicly accessible places. Universities pride themselves on being bastions of freedom that provide unfettered online access. Make sure students and faculty understand the risks of these attitudes. A recent survey commissioned by Experian showed that 60 percent of companies with a data protection and privacy program believed their employees were not knowledgeable about security risks, and only 35 percent of responding employees believed that data security was a priority of senior management.
If business schools can help their students understand the importance of cybersecurity while they are on campus, graduates will be much more realistic about cyber threats when they are in the workplace.
NOT OVER YET
No matter how well they are prepared for cyberattacks, business graduates will inevitably find themselves dealing with security issues. They will quickly discover that identifying the breach is only the first step. As executives, they must be prepared for a great deal of scrutiny as investigators from a number of regulatory agencies knock on their doors to ask, “Why did this happen and who is responsible?” In the U.S., these agencies include the FTC, the SEC, the Department of
Health and Human Services, the Department of Defense, and the Secret Service—all of which, one way or the other, are charged with defending the security and privacy of American citizens. Other regulatory agencies will be involved when data breaches occur in other countries.
Additional stakeholders could come forward if there is a hack. These include investors and customers who might bring civil claims against a company, claiming fraud or abuse resulting from a failure to properly manage information systems. The media also will be quick to get involved, especially if the breach is big and reporters see the incident as a major news story. Business schools must prepare students not only for the breach, but for what comes afterward.
Like many other subjects taught in business school, cybersecurity is very much a bottom-line issue. It is concerned with managing costs, benefits, risks, public image, intellectual property value, customer relations, and equity. We must make sure students understand the consequences of incorporating technology into their products, services, and processes. The notion of cybersecurity must be integrated so thoroughly into our curricula that students practice it automatically in every aspect of their personal and professional lives.
Mark Weiser is Regents Service Professor and director of the Center for Telecommunications and Network Security and professor of management science and information systems at Oklahoma State University’s Spears School of Business in Stillwater. Carolyn Conn is an accounting professor at the Bill Munday School of Business at St. Edwards University in Austin, Texas; she is also a CPA and certified fraud examiner.
Test your cyberintelligence. Take our Cybersecurity Quiz.
Who Are the Hackers?
How much money could be lost to cybersecurity breaches? Who might perpetuate an attack? A quick guide to the costs and the major players.
The estimated financial impact on the U.S. if a successful cyber attack shuts down even a portion of the national power grid. The damage would occur over a five-year period and adversely impact both supply chains and infrastructure.
The amount that the U.S. retail sector estimates it loses to cybercrime every year per responses to the Ponemon Institute’s 2015 Cost of Cyber Crime Study: U.S. In the same survey, respondents in the financial services sector put their average annualized costs closer to $28 million; in the technology sector, $16 million. The institute estimates that, across all sectors, the mean annualized cost of cybercrimes is $15 million. The net increase was 82 percent over the most recent six years of the study.
The estimated cost to Home Depot (before insurance reimbursement) when its database was hacked in 2014 and thieves stole information for 56 million credit/debit cards and 53 million customer emails.
The estimated cost to Target after it experienced a data breach in December 2013 (though insurance reimbursements brought it down to $162 million). For both Target and Home Depot, those amounts exclude any settlements or judgments against the companies arising from litigation.
Governments might hack other governments or corporations to cause turmoil. For instance, it is believed that North Korea’s government sponsored the hack against entertainment giant Sony. Most recently, the U.S. government formally accused Russia of stealing and disclosing information from the Democratic National Committee. Very real concerns have been raised about another nation tipping the balance in an election.
These might be employees or trusted third parties, such as vendors. An HVAC subcontractor was the source of log-in information needed to carry out the Target hack.
These individuals, often described as “hacking for a cause,” either believe in a cause or do not believe in your cause; they feel justified in harming a company or its customers. In early 2012, Wikileaks and Anonymous released five gigabytes of email hacked from private intelligence firm Stratfor—reportedly in response to Dow Chemical’s reaction to social activists The Yes Men, who criticized Dow’s handling of the Bhopal disaster.
These people are looking for money. In February 2016, hackers attacked Hollywood Presbyterian Medical Center with “ransomware,” a malicious software that locks users out of the computer system until payment is made. The hackers put the hospital system back online after they received a $17,000 ransom. Since then, multiple hospitals and a police force have been targets of similar attacks.
Early in 2015, the Pentagon notified retired U.S. Army generals that their names, email addresses, and home addresses had been published online, after hackers claiming to be part of ISIS obtained the information from Twitter and YouTube accounts of the U.S. military’s Central Command. One security expert described the incident as a new kind of psychological warfare, designed to create fear and weaken morale in the military.
Organized Crime Families
Today’s organized crime leaders are much different from mobsters such as Al Capone. The internet allows criminal organizations to be almost invisible, and cyberfinance makes it harder to follow the money trail. In August 2016, New York prosecutors filed charges against 46 leaders of Sicilian-American Mafia families. They were charged with extortion and racketeering, as well as credit card fraud and healthcare fraud.