How Harman Ensures Tech Safety Through Due Vigilance

Arming a company's technologies against disruption is a 24-7 task, but Maurice Stebila extends protection far beyond the IT staff.

The threats of cybercrime to national security are ominous enough. The US government devotes considerable resources to fend off attacks from professional cyberwarriors in China, Russia, and around the globe. Meanwhile, companies, institutions, and individuals sometimes have no choice but to pony up payments to purveyors of ransomware attacks. For example, computers at Hollywood Presbyterian Medical Center in Los Angeles were inoperable for a week in early 2016 until the extortionists were paid $17,000 in Bitcoins.

But there are reasons to be optimistic. Potential victims are becoming more sophisticated at mounting proactive defenses. For example, companies that acquire other firms now delve into vulnerabilities that may tag along with the asset. This is now being incorporated into the due diligence process, something that people like Maurice Stebila know all too well.

Stebila explains that every organization is vulnerable; it’s really just a question of how vulnerable. As chief information security officer for Harman International Industries, a global supplier of connected audio products to automakers, consumers, and enterprises, Stebila and his team of security experts are on the front line of “an ongoing cybersecurity world war,” as he calls it. “It’s in the news every day. Fortune 500 companies are targeted, so everyone has to be vigilant,” Stebila says.

This vigilance takes many forms, employs a myriad of tools, and requires every employee, supplier, and customer to consider themselves warriors on the battlefield. Human error such as falling prey to phishing tactics is often the security breach that hackers exploit.

Smaller businesses and individuals face attacks as well. But companies such as Harman have to protect their own corporate interests as well as those of their gold-plated customers. This includes the likes of Alfa Romeo, Mercedes-Benz, BMW, Jaguar, Jeep, Rolls-Royce, Mini, Toyota, and Volkswagen. Automobiles access the cloud in a connected world to run audio and other infotainment systems, navigation, and connected safety systems. In fact, roughly twenty-five million vehicles in the United States use Harman audio and connected car systems.

Car connectivity is highly valued yet subject to threatening hacks. Researchers in the Netherlands and Germany presented a paper at the annual Black Hat Europe security conference that weighed the future of wireless vehicular chatter. Designed to reduce collisions and traffic jams, the technology can also enable nefarious tracking of individuals. Another scenario discussed at the Black Hat USA conference is how hackers might be capable of physically hijacking the vehicles of VIPs and world leaders.

Stebila’s work specifically centers on Harman itself, not the company’s products—his colleagues in R&D have that handled. But it’s clear that he works in an organization where cyberdefense is at an elevated level.

Harman has acquired several companies in recent years, including AMX LLC, Bang & Olufsen’s auto division, and Symphony Teleca. With each addition, Stebila and his team walk through a five-step process aimed at rooting out threats. It starts at a strategic phase, when high-level executives look for acquisition targets that may or may not already be compromised by hackers. Next, when the intended acquisition is announced, direct discussions ensue to identify the obvious threats. After this step, the due diligence period has security analysts digging in just as vigorously as accountants and lawyers do in seeking out financial and legal liabilities.

The tools Stebila uses include a security assessment, vulnerability scanning, penetration testing, and determining where remediation will be required. After the deal is signed—often accounting for the cost of increased cybersecurity measures—a safe integration of systems completes the process. “We always find something,” Stebila says. “Every organization has vulnerabilities. That usually is from patches not installed or not having a layered security apparatus.”

In a small acquisition, the process might take a few weeks, while a larger merger may require a month or more. Perhaps Harman’s corporate security is on the leading edge because of the great care it must take with its high-profile customers. “We do our best to identify the potential for an attack on cars and homes,” he says. To resist attack vectors, Stebila says the company uses what it calls a “five-plus-one” security architecture that differentiates the business from its competitors. The five steps—secure the hardware platform, employ a hypervisor, create OS access control, create application sandboxing, and devise network protection—are supplemented OTA, or “over the air.” This sixth component means the fixes and patches can be done automatically and wirelessly, with no need for expensive car recalls or a conscious effort by the driver. But even in the presence of sophisticated tools, people are the weakest link in the chain. “Security is not IT’s responsibility. It’s everyone’s,” Stebila emphasizes.

He shares that half of all data breaches can be tied to a “failure of awareness.” This is exacerbated with the use of multiple devices—desktops, laptops, tablets, and phones, both personal and company-supplied—with dozens of applications built in to work from system to system. Some companies with exceptional security needs, such as financial institutions, employ stringent “acceptable use” policies. But the cultural norm, says Stebila, is to allow workers to access personal devices as they wish. That’s not an ideal situation, he argues. “Laxity invites risk,” he warns.

Stebila says it’s not just a matter of telling employees to be careful. A multichannel education effort is used to raise security awareness and prevent those human errors. This includes emails, posters, and classroom training at the company’s Harman University. The company’s leadership level receives online training as well. As a test of employees’ understanding, well-disguised faux-phishing emails are sent to check employees’ skills at discerning where and when not to share password information.

If it seems as if all of this has a certain James Bond quality, so be it. Corporate and business espionage has existed for a long time, but evolving technologies mean it’s a rapidly growing arms race. And the winners aren’t just the people working on behalf of fair enterprise. It’s trained warriors who come to the battle well armed.