A conversation with Jennifer Tisdale, Principal of the Cyber-Physical Systems team GRIMM, a cybersecurity research and engineering firm. GRIMM is a Service, Disabled Veteran-owned Small Business which provides cybersecurity testing, consulting and training to the U.S. military & intelligence agencies, commercial automotive, aerospace, medical and manufacturing industries.
What advice do you have for organizations that have not invested in cybersecurity, and what are they risking by not doing so?
I think we can all agree the topic of cybersecurity is complex. There is no one-size-fits-all solution to protect an organization. If you’re not an expert, it can be very overwhelming when making decisions to balance between cybersecurity and bottom lines.
My advice to organizations apprehensive about investing in cybersecurity, is to acknowledge the varying ways a security breech could impact their business. This could be anything from stopping production, altering product quality, inflicting injury or death in an IT/OT environment, negatively impacting customers and company brand and reputation, or the theft of Intellectual Property harbored on their networks. Cybersecurity is an investment in protecting your organization in much the same manner as physical security. Physical security is necessary to protect your physical assets. Cybersecurity, in this age, is necessary to protect your digital assets.
Once the possible threats or points of entry are identified, I would recommend prioritizing each identified threat by the potential criticality of a breech. Once a prioritized list is created, it affords the organization the opportunity to implement a plan to mitigate risk.
It is important for an organization to recognize security as an action. An ongoing activity, inclusive of many layers, and consisting of an ever-changing threat landscape. This will never be a “one and done” solution. Plans and procedures should be reevaluated often and adjusted accordingly. If a small to mid-size organization does not find it a viable solution to hire internal expertise, contract an expert to assist your entity with developing and implementing a plan.
What are some of the best cybersecurity solutions for remote workforces during and beyond the pandemic?
With an increased, remote workforce, the issue of cybersecurity has reached a new level of criticality. It is now important for organizations to provide their employees with tips and tools to protect company information in a variety of home-based networks. An important key to success will be to focus on employee education for both office staff, and providing knowledge for small office, home office (SOHO) cybersecurity for remote employees.
Keeping your team, networks and assets secure will really boil down to the basics. An organization will need to communicate, clearly, the standards, expectations and processes for device and network security while working remotely. Fundamental practices include:
- Remote-Work Security Policies
- Using Secure VPNs
- Employee education on things such phishing tactics, etc.
- IT Asset Management plans
- Responsive IT support for remote workers
- Limiting personal devices connectivity to the organization network
It is important to recognize that remote-based workers greatly increase the attack surface of an organizations network should they neglect to enact policies to ensure the security of the organizational network.
What can companies do to protect themselves and their remote staff against hacking and data theft during the pandemic?
This question has several variables, depending on the type and size of business. However, when I provide business consultation to my clients, I usually begin by giving them as many free to low cost options, as possible.
Below are a few actions you can take as either an employer or consumer creating a work-from-home environment, to increase the cyber resiliency of your network:
|
ACTION |
CONSUMER |
BUSINESS |
|
Stay vigilant; Check with the router manufacturer to ensure your model is still eligible for security updates |
X |
X |
|
Conduct security updates on devices regularly |
X |
X |
|
Use Ad-blockers |
X |
X |
|
Upgrade devices which have “aged-out” of security updates |
X |
X |
|
Visit the device manufacturer’s website for an up-to-date listing of model numbers supported for security upgrades |
X |
X |
|
Educate users on the importance of cybersecurity best practices |
X |
X |
|
Explain to child-users the interconnectivity of smart devices to the home network |
X |
|
|
Require home-based employees to provide router model information to the company IT department for security validation |
X |
|
|
Provide employees with your IT department’s list of preferred routers and potentially offer company discounts, incentives, or partial reimbursement for employee compliance to support sound cybersecurity practices for the company |
X |
How much has the rate of cybercrime affecting manufacturers risen during the pandemic?
I think the numbers are still out on the cybercrime statistics for manufacturers, specifically, during the pandemic. We do know the global COVID-19 crisis has created a greater opportunity for a variety of cybercrimes. Earlier this month, Interpol reported a significant increase cyber-attacks against critical infrastructure, governments, and major corporations. This indicates a shift from targeting individuals and smaller businesses. However, do not take relief in this statistic if you are a small – mid-size manufacturer. We are seeing an uptick in attacks on manufacturers, especially if you are supplier to any of the identified entities, and especially those performing on government contracts as either a Prime contractor or sub-contractor. It is increasingly important for the defense industrial base, especially manufacturers, to address cybersecurity within their organization and to be compliant to the Defense Federal Acquisition Regulations (DFARS) referencing cybersecurity standards NIST 800-171.
In your opinion, what is the biggest threat to cybersecurity that manufacturers should be aware of?
There are varying threat levels depending on the type of business the organization operates. The most common threats include issues such as: ransomware, loss of production, loss of life or injury, and loss of intellectual property – even brand management issues are a threat to manufacturers.
The most common cybersecurity threats in manufacturing are comprised of:
- Inadequate internal cybersecurity practices often affiliated with lack of employee education
- Lack of cybersecurity prioritization within in the supply chain
- Unanticipated interactions and vulnerabilities between the IT/OT devices and networks
Even if a manufacturer offers a robust cybersecurity program for their IT/OT considerations, they should be mindful to not overlook the cybersecurity practices of their supply chain. Requiring suppliers to outline their cybersecurity practices as part of a contractual obligation is a good, initial step. It is also a recommendation to periodically evaluate or audit the Supplier’s cybersecurity practices and protocols. The smaller the supplier, the less likely cybersecurity will be a priority – unless they are contractually obligated and meeting the cybersecurity requirements of their customers.
What are some common mistakes companies make with their cybersecurity?
- Lack of employee training and education (both onsite and remote workers)
- Includes shared devices within the organization
- Employees personal devices (i.e. laptops, phones, tablets, etc. interacting with the company network)
- Lack of network hygiene
- Inability to have a full visibility into networks
- Not performing risk assessments
- Lack of incident response plans; and tabletop exercises to prepare for a cyber incident
- Lack of prioritizing cybersecurity practices within the supply chain
- Hiring the wrong consultant
Many smaller organizations may not see the need for cybersecurity because they do not feel they are as much of a target for these types of attacks. Why is cybersecurity especially important for these organizations?
Many smaller organizations dismiss cybersecurity concerns for varying reasons. At times, they believe they are too small to be a target. However, the fact they are small, is the exact reason they are targeted. They are an easy mark. Let’s think in terms of physical security, for a moment. The front door of a facility could have a security guard, cameras, the need to present badge identification to enter the building; but if the back door or window is left open – the entire building is now vulnerable. If your smallest supplier is not practicing good cyber hygiene, they are opening the “back door” to their largest customers. It is the easiest point of entry. The supply chain has proven to be one of the largest cybersecurity vulnerabilities and, securing the supply chain is growing in criticality – especially for manufacturers participating performing on government contracts.
About GRIMM:
SMFS, Inc. DBA GRIMM (“GRIMM”), is a Service-Disabled Veteran-Owned Small Business (SDVOSB) at the forefront of cybersecurity research and development, business modernization and computing technologies. GRIMM is led by former military officers and leading industry experts whose collective knowledge is a true differentiator in the area of cybersecurity research, testing, training and technical consulting. GRIMM couples their technical expertise with a business acumen focused on government and industry cybersecurity trends; helping clients increase the cyber resiliency of their systems and products.
GRIMM’s Cyber-Physical Systems Security team is uniquely focused on cybersecurity concerns where hardware and software intersect with WiFi and Bluetooth accessibility.
Connect with GRIMM:
Website: www.grimm-co.com
Twitter: @grimmcyber