Like you, I’ve seen a lot in the press recently about cyber-attacks and computer hacking. It all sounds like a 1980’s movie. I didn’t really think I had much to worry about in the world of commercial real estate. I don’t cover the blinking lights – that’s the CTO’s role along with his or her team of consultants. Plus, aren’t the cyber bad guys after military and high-value civilian facilities such as nukes?
Two things happened recently to change my mind. Allow me to share two vignettes that happened only a couple of days apart from each other.
First, I participated in the corporate equivalent of a war game simulation. It was sponsored by the Technology Association of Georgia and run by an expert in the field, Jim Cavanagh of Cyber Exercises. In the so-called “table top exercise” I was playing the role of director of real estate for the fictional television network, GNN. I reported into the COO who had plenty on his plate in addition to real estate.
The exercise took place at Georgia Tech in front of an audience of about 150 people. Our company was about 40 executives in total – all on the stage of the Ferst Center. At 1:52PM on the day of the exercise, we were the victims of a terrorist attack (electromagnetic pulse) that took down all of our satellite dishes. Talk about waking you up after lunch. As a result of the attack, our TV signals went down worldwide and the CEO (played by Tino Mantella, President of TAG) declared an emergency. We all received simultaneous emails, texts and calls on our cell phones alerting us to this situation.
We spent the next two hours working with Atlanta and Reston (our other site) trying to confirm our people and facilities were ok, and of course, trying to get back on the air. We conferred with real life FBI, GBI and Fulton County (Atlanta) 911 government officials during the crisis.
The organizers took a novel approach to keep the simulation interesting to the crowd. They had 3 “tweeters” in blue shirts throwing everything they heard up on Twitter. The stream appeared on two huge screens on either side of the stage. They also had two “reporters” wandering around the stage interviewing anyone who would talk to them and doing live broadcast a la network news. It had the feel of a corporate drama/reality show with a social media turbo charge.
fter 90 minutes or so, the crisis began to come under control. Given that things were settling down, and that no good crisis should unfold without pizza, I ordered a few pies for our hungry executives. The Dominos delivery lady brought the right up on stage to huge applause.
:: Even when you know what the attack will be and when it will occur, the adrenaline starts your body pumping. This impacts decision making.
:: Communications was hard even with us all on stage and physically together. I can only imagine what it must be in real life with remote facilities in the mix.
:: The policy manuals are a reference, but you can’t cover every contingency. We quickly had to figure things out with or without the policy to guide us.
:: Good relationships with government officials are helpful when a crisis occurs. In this instance, they were very helpful in getting resources and personnel to help GNN.
:: As Jim C said, we have a “duty to share” information with other companies and agencies to help protect our Country.
:: Pizza helps any crisis get better!
In a total coincidence, I attended a lecture the next day by the former Commissioner of Homeland Security Michael Chertoff. Now with his own company, The Chertoff Group, Mr. Chertoff wowed the crowd on the same cyber security issue.
He made it clear that while cyber-threats are in the new, they are not new. He said that cyber terrorism is the “most serious security threat we face” as a nation. Chertoff mentioned that the threat of a “cyber Pearl Harbor” should focus the entire business community. He went on to say that a cyber attack “is not a threat, but an eventuality.”
Sobering words coming from a former high level US government official.
Chertoff said that many in corporate America see cyber issues as belonging to the chief technology officer. However, “technical issues are only a part of what is involved in the threat.” “ Much of the threat,” he said, revolves around “issues of governance and human behavior.” He went on "everyone in a high level in the enterprise must be on guard."
>> Some of his recommended steps to protect our enterprises against these attacks:
:: Develop a series of “layered actions” by the entire corporate team that can help prevent damage.
:: Drill – “We don’t want to be coming up with the answers when we are under attack. We think we know what we would do in our response, but standard operating procedures may not be adequate.”
:: Remember that we are “dealing with human beings, and that is the fundamental issue – no policy can replace human brains and hearts.”
I understand full well the “bandwidth” issues we all face. Preparing for some far-out terrorist attack falls to the bottom of the list. However, those in commercial real estate are the keeper of the physical assets. I learned through the simulation process that we cannot punt to the CTO on all computer issues, because computers run everything. We'd better open the communication on this in advance.
>> I’m still coming up to speed on this issue myself (and I welcome your comments), but here are a few suggestions for real estate directors:
:: Talk to your CTO and COO about these issues. Even a lunchtime conversation can be helpful.
:: Play some “what if” games with your staff. I've hear many a story of seasoned line staff with great ideas to share – if they are asked.
:: Develop relationships with government officials on the local, state and even national level. They can pay off in spades.
:: Talk to the consultant community. I’m not flacking for Chertoff or anyone else, but there are a lot of smart people who can really add value in this area.
:: Discuss the need with other director level executives to conduct your own drill
:: Many companies have a crisis communication plan. Perhaps you ought to actually read yours and make sure CRE has had proper input.
:: Talk to your CEO. Is he or she on board and briefed on the plan. All the policy in the world won’t help you if the person at the helm doesn’t have buy in.
:: Let’s hope that none of us ever face this issue in our professional lives. If we do, though, I have learned one thing in my recent experience: you are critical to the successful recovery from a cyber attack on your company.
:: People are counting on you. Be ready for the test, even it never occurs on your watch. It's your duty to your team, your company and ultimately, your Country.