Hackers threaten open business culture


Concerns about cybersecurity can instill a chilling effect on companies’ attitudes about transparency.

Share this article!


If your emails are at risk, perhaps it’s better to communicate on the phone, and avoid creating the kind of paper trail that is a critical element of accountability.

Unmasked 04 Hackers

The key, say business leaders and cybersecurity experts, is timing and compartmentalization. It’s possible to run a transparent company without putting employee or customer information at risk, says Babson.

At Vacasa, the Portland-based vacation rental company, workers’ desks are laid out on in an open floor plan, but the tech area is blocked off during events, says co-founder Johnson.

“We don’t want to have people walking around the development area and stumbling onto something. We think about disclosure not only from the perspective of how it could harm our business, but also the individuals the data is protecting. We have a lot of credit card info, for example — all encrypted — and obviously that’s info we need to hold private.”

A more difficult decision is whether to be open with the public about attempts to hack or extort a company, Johnson says. Vacasa has erred on the side of disclosure, he says, but other executives worry they’ll expose themselves as a target if they’re too forthcoming about security breaches.

Johnson’s attitude is that the more businesses know about illicit activity, the more they can all protect themselves. “I share that info with other startups to help them make sure they’re doing the right thing, before they become a target.”

One interesting way companies are responding to increasing concerns about cybersecurity is by shifting their liabilities to consumers, says Ken Westin, senior security analyst at the Portland-based firm Tripwire.

It’s a funny kind of “transparency”: Online retailers and other businesses are becoming more clear about what a customer’s legal responsibility is in using products and services, which is a way of saying, “Hey, if we get hacked, we’re absolved, because we told you what data we were collecting.”

As Westin puts it, “It protects the business. It shifts responsibility from the business to the user.”

Many businesses still avoid reporting it when their systems are breached, out of embarrassment. Ransomware is a good example of that, Westin says: There are many more businesses paying extortion than there are reporting the problem. Experts say ransomware will net $1 billion this year — because individual IT managers are concerned about losing their jobs.