Winter Is Coming

Morgan O'Rourke


September 1, 2017

When hackers recently announced that they had broken into HBO’s network and stolen 1.5 terabytes worth of company data, it was particularly appropriate that they incorporated images of the White Walkers from the network’s mega-popular Game of Thrones into their video ransom note. After all, not only did they steal proprietary corporate documents and executive communications, they took unaired scripts from the show’s latest season, causing fans worldwide to salivate over the prospect of an early peek at the impending series finale.

The use of the White Walkers was apt for another reason: They are the show’s ultimate villain. So far, the action on Game of Thrones has centered around various factions (and the occasional dragon) fighting for control of the fictional world of Westeros. But everyone in the kingdom knows that “winter is coming” and, with it, the undead army of White Walkers that has steadily amassed in the background. A virtually unkillable force, the White Walkers are poised to wipe out all the characters viewers have come to know and love, threatening to render all the palace intrigue and battlefield drama to this point irrelevant.

The threat posed by the White Walkers is reminiscent of the existential risks many companies face in the real world. That list has traditionally included natural catastrophes, terrorism events, and any of the nuclear, biological, chemical or radiological scenarios that could be devastating enough to reshape entire markets and put companies out of business altogether. Like the various combatants in Game of Thrones, companies struggle to manage their day-to-day risks and develop strategies for future growth, while at the same time knowing that these larger threats could change everything in an instant.

Given their increasing prevalence and the extent of the potential damage they can cause, cyberattackers are increasingly making the case that they should be included on the list of existential risks. Like, say, preparing for hurricane, companies can and do take many sensible steps to mitigate the impact of a hacking incident. But just as it only takes a single storm to turn a mild hurricane season into a devastating one, a single hack can have a similarly catastrophic effect on an organization. Hackers can now take vital systems offline or steal irreplaceable proprietary data and permanently tank stock prices, revenue streams and reputations, creating a crisis from which there is no return.

Thankfully, such villainy has not been widespread. Hackers could take over the world but, so far, that does not seem to be their goal. Most consider themselves to be the good guys. More than half (53%) of the hackers surveyed by IT security provider Thycotic at the 2017 Black Hat conference identified themselves as “white hats,” using their skills for good, while only 14% said they were “black hats” who break into systems with malicious intent (the remaining 33% said they were “grey hats” who fall somewhere in between). Even the HBO hackers referred to themselves as “white hats” who were just performing a service. “Don’t call us nasty hackers, we are IT professionals, consider what is done to you as a huge pentest,” they wrote. “We don’t want to endanger HBO’s situation nor causing [sic] to lose its reputation.”

But as hacking schemes become more and more lucrative, the number of financially-motivated black hats will likely increase and the risk will expand accordingly. When that happens, any organization that hasn’t prepared for these technological White Walkers may find out that it is already too late.

Morgan O’Rourke is editor in chief of Risk Management and director of publications for the Risk & Insurance Management Society, Inc. (RIMS)

Related Articles

The Other 2017s

December 1, 2017

In Defense of Spelling

October 2, 2017

Running with Risk

June 1, 2017