With all the big companies in the news for data breaches or other cyber security “incidents,” does the average mid-size business really need to worry about cybersecurity?  In his keynote presentation to the 2018 Georgia Construction Conference at the Cobb Energy Centre in Atlanta last week, Greg Chevalier helped a group of finance and operations executives understand the answer is a definitive “yes,” and not just to protect yourself directly, but also indirectly through your trading partners.

Network traffic has grown rapidly; your cybersecurity needs to evolve with it.  Network traffic has grown exponentially over the last 20 years, driven not just by the adoption of smartphones and laptops for personal use, but by the explosive growth of machines on the network.  Not just servers, but firewalls, edge routers, webcams, wireless access points, vending machines and thermostats.  Each of these devices presents something that needs to be either protected or potentially defended.  In the ‘90s, intrusion prevention systems were largely sufficient to deal with the individuals who may be bad actors trying to attack a manageable number of machines using fairly common security frameworks.  But with the rise of so many different machines on the network, the number of security frameworks has grown just as fast.  This means your cybersecurity has to now solve for an exponentially greater number of potential issues than 10 years, or even 5 years ago.  As a business executive, you have to consider when was the last time you made a meaningful update to your IT security infrastructure?  In response, various industry groups and regulatory bodies have developed security regulations such as PCI (payment cards), HIPAA (healthcare), GLBA (banking), FINRA (financial services) as well as industry standards such as ISO 27001/2, SOC Type I/II,III, and NIST CSF to help companies keep their data and their networks secure.

In the IT Supply Chain, security requirements and security problems can also come from your customers or suppliers.  Chevalier introduced the concept of the IT Supply Chain – the connections between vendors, companies, and customers that frequently extends to trusted connections between IT systems.  If one company is subject to regulatory requirements for IT security, it typically flows to the other partners in the IT Supply Chain.  In a recent survey by Onepath, almost 88% of respondents were subject to a regulatory framework, and 77% had been requested to provide some type of attestation of their IT security compliance within the last year.  So, if a company thinks their data and systems are not valuable enough to justify cyber security, they need to consider the value of their customers and suppliers data.  The Onepath survey indicates almost 50% of the attestation requests were due to compliance for customers or suppliers.

The key to cyber security is leveraging a comprehensive framework to reduce the probability of a potential attack, as well as reduce the potential impact of an attack.  One of the most important factors in reducing the impact of an attack is minimizing the time from the when you are compromised to the time you discover it and then the point you have it contained.  Typically it is weeks or even months to discover a breach after systems are initially compromised, and then weeks until it is contained.  Onepath and most industry experts recommend a framework of layered responses to Identify risks, Protect from attacks, Detect when a breach occurs, Respond quickly to contain and mitigate the breach, and then Recover from the attack and improve the systems to prevent subsequent attacks.  Many companies focus only on the Protect phase, and successfully thwart a significant number of attacks.  But eventually, an attack will get through, and that is when you can lose data or control of your network and damage begins to occur.

Key takeaways:

  1. Use a framework to analyze your risk and your security posture. It may be a regulatory requirement or an industry standard, but you have to get started.
  2. Evaluate your IT supply chain. Understand what requirements your customers and suppliers may be subject to as well as how secure they are.  You also need to understand if you are exposing your IT infrastructure to trusted partners who are not secure.
  3. Technology cannot fight the entire battle. A majority of breaches have some human element, whether it is clicking on a dangerous link, exposing passwords, or other risky or naïve behavior.  Remember to train your people.

Be ready to react quickly.  Be prepared to identify a breach and respond to contain it.  Consider leveraging trained experts or a Security Operations Center or Managed Security Service Provider to assist.