While a new year can bring forth a breath of fresh air and inspiration for tackling new challenges, the dawning of 2016 will not translate to exclusively focusing on new challenges for the industrial sector. Rather, some of the same battles will persist.
As the information age stretches into its second decade, big data and the security issues it presents will continue to demand more time, investment and internal understanding. In speaking with a collection of CIOs and IT professionals within and outside of manufacturing, here are some common practices to consider when addressing cybersecurity protocols.
Focus on the Attacker, Not the Attack
Many security experts agree that while virtual and physical safeguards are vital in discouraging assaults on IT assets, the reality is that the barriers to entry for cyber attackers, in terms of equipment and expertise, has never been lower. So while protective postures are important, the real key to withstanding a hacker is to start anticipating what they want and which of your assets are the most beneficial to them. By focusing on the primary targets of the attack, a company can prepare a plan that carries a commensurate response.
This might sound like resigning one’s self to the inevitability of a data breach and hoping for the best. However, the reality is that this exercise provides a number of benefits:
- A great deal will be learned about how to defend your assets by analyzing how they could or should be attacked.
- Understanding how this information will be used by the hacker will allow for more timely responses in the event of a hack.
- Thinking offensively will stimulate conversations that go beyond just the IT department and get other areas of the enterprise involved. For manufacturers this could/should include operations, supply chain, purchasing and more.
Embrace the Worst Case
The problem this exercise can create is that in working through the seemingly countless fronts from which a hacker can attack, an organization might begin to feel overwhelmed and want to turn a blind eye to the problem. Or, as one security advisor stated, “Blissful ignorance leads to less outrage.” In other words, less transparency translates to fewer fears and lower levels of necessary investment.
The key is to get past this head-in-the-sand mentality and prepare accordingly. Successful organizations will fight the urge to flee from the problems that will be brought to light by examining their security, or lack thereof.
Strength in Numbers
Many state governments are looking to offer the private sector some support. For example, my home state of Wisconsin supports cyber security teams specifically dedicated to the chemical, manufacturing, food and agriculture, energy and transportation sectors. The key, officials state, is for all entities – public and private – to share information. The government wants to help, but usually lacks the same level of expertise found throughout the private sector.
Collectively, this makes an entire industry weaker from a cyber, data or network perspective. This is why many local governments are challenging companies to consider how that weakest one percent of their security approach could be used to attack the remainder of the organization. Regardless of how strong the rest of the strategy is, hackers will find that weak spot.
They Only Need One
Adding to the complexity of this task for the industrial sector is that the defense has to win every time. The attacker needs a lone score to be victorious – and the source of the attack may not always originate from an obvious opponent. This means IT security strategies should consider not just malicious hackers, but vendors, software integrators, legal entities and even internal system administrators who might unintentionally leave the company vulnerable.
Going to Another Level
Another universal theme is that cyber security can no longer be considered just an IT priority. Due to legal liabilities and potential financial ramifications that will impact everyone from customers and employees to investors, approaches to security should be addressed at the highest level to ensure standard practices are put in place and the proper resources are allocated.
As difficult as it may be to realize, part of this strategy will have to stem from enterprises understanding that they will not always be able to control their own information. However, they can understand the processes that bring this data to different access points. By understanding data flow, investments can be properly channeled to focus on where attacks might occur and how to respond as quickly as possible.
When it comes to cyber security, ignorance is not bliss and the industrial sector needs to fight the urge to run from these problems. Pretending that there’s a lack of interest in your company’s data, or hiding behind a lack of knowledge is no longer viable. The way forward is a road built on data-driven decisions. This data and the people generating it, implementing it and making money with it deserve to be properly protected.