A Hack Changed Fiber Company's Views on Cybersecurity
A breach at a fiber communications network provider prompted a change of heart about cybersecurity, its CEO told a NARUC panel in San Antonio Monday (see 9:30 a.m. schedule). Syringa Networks' Greg Lowe said that before this year's virtual break-in -- where his company's data was held hostage until he agreed to pay ransom -- "we didn’t believe we were a target, in our cultural bias." And "we believed we had adequate measures protecting ourselves," he added. "I personally don’t think passwords are very useful … but we relied on them nonetheless." That’s "the biggest mistake any company can make, asking your employees to be diligent" on security measures including about passwords, he said. After the incident, "we contacted the FBI. That was a joke," he said. The bureau declined to comment. Lowe spent that day "trying to figure out whether to pay that ransom or let the entire business burn to the ground," he recalled. Syringa needed its billing records, so after talking to the board, "we decided to pay that ransom." The week after the intrusion was discovered, "we were back to work but kind of on a limited basis," Lowe said. Now, "we treat our internal network as a core piece of our business." The company knows it will be targeted, and faced an intrusion last week that was thwarted, Lowe said. "We also know that we’ll never have enough security to prevent intrusion." And "we don’t depend on our employees anymore" to take preventive steps, he said: "We use multifactor authentication on everything" requiring more than one password for email accounts and outside websites. It allows access only to email addresses, websites and applications appearing on a "white list." Lowe described "a mind shift from preventive to deterrent mode," said CenturyLink Senior Director-National Security Kathryn Condello. She suggested stakeholders examine so-called cyber essentials from the Department of Homeland Security Cybersecurity and Infrastructure Security Agency. Syringa last year bought from CenturyLink former Level 3 metropolitan network assets in the Boise area, where that buyer is based. Companies "have to make a risk decision" about cybersecurity, said Fidelis Cybersecurity Chief Technology Officer Craig Harber. "How much am I willing to invest versus how much am I willing to lose."