On October 8, we hosted the INSIGHT series webinar “Your Ultimate Cybersecurity Goal Should Be Making More Money” with Berardino Baratta, MxD vice president, projects and engineering Tom McGoogan, cybersecurity specialist with Boeing Commercial Airplanes (BCA), and John Livingston, CEO of Verve Industrial Protection.
Here we chatted with the presenters to preview their session, exploring how security can boost profits and how we can change mindsets to buy into this approach. Take a look…
Berardino: Profit is generated by either reducing costs or increasing sales. A cyber-attack has significant financial and operational consequences for a business, especially when you consider that small companies are just as likely to be the target of an attack as the large ones.
According to a 2020 Sophos report, the average cost of a ransomware attack for companies that do not pay the ransom is $730,000. That increases to more than $1.4 million for those that do pay. Combine that with the fact that the average downtime due to a ransomware attack is 21 days, and the very survival of a small company is in the balance.
There is also potential to capture sales from competitors if you are able to present your cybersecurity posture as a differentiator. So, both from the standpoint of the risks and of the opportunities, taking steps to secure your operations is essential for profitability.
John: Couldn’t agree more with Berardino. The only thing I might add is that to generate that profit you need to manage the security efficiently. In many organizations we see, the spending on security is not focused on stopping the most significant threats to revenue. As a result the total “expected value” of the security investment is negative once you take into account the likelihood X Impact relative to spending. So to get the result that the (Investment <= Likelihood X Impact) the program needs to focus on critical risks and leverage tools to drive efficiency in the process.
Smart Industry: Is this a matter of changing tools/techniques or changing mindsets? Both? What's the key?
Berardino: It’s a matter of both tools and mindsets, but each will impact the issues differently.
First, assess your operations using one of the existing NIST standards. NIST Cybersecurity Framework is a great starting point. SP800-171 is a very comprehensive IT standard. For defense suppliers, CMMC (Cybersecurity Maturity Model Certification) is the new standard that must be implemented. SP800-82 targets your industrial control systems.
These assessments will tell you where you need to focus your attention. Almost all of the controls will require you to implement new tools and services to secure your operations, but you can’t ignore your workforce.
Let’s use email as an example. There are many tools to identify and remove risky emails, but cybercriminals are constantly finding ways to defeat these protections. That’s why, even after implementing these technologies, you need to train your employees to look for the telltale signs of a phishing email and avoid clicking on the links. At MxD, we’re proactively running phishing campaigns against our employees to increase their awareness. Failing at our simulated attack is ultimately a good thing because we can help that employee learn what to do when a real phishing email comes in.
John: Agree again…it’s both. In IT security, unfortunately, the tools have been added “organically,” meaning that as new threats and types of attacks have emerged, organizations have added tools to protect against that threat. You get this “organic” layering of tools and technologies…think of soil deposits growing over time. Unfortunately, this creates inefficiencies as the overlaps and complexities weigh on the personnel in terms of time and cost.
One of the advantages of being “late to the party” when it comes to security is that OT security can start with a more holistic approach from day one. Let's not just repeat all the layers that IT security built-in, but take fresh step back and design for all of those historical threat-vectors technology and organizations that can address these threats in an integrated, simpler fashion.
Smart Industry: How is MxD promoting this approach to security in the manufacturing space?
Berardino: MxD is using a three-pronged approach to helping the manufacturing sector through our 10,000 manufacturers awareness campaign, MxD Cybersecurity Marketplace, and MxD Learn workforce development programs.
The 10,000 manufacturers awareness campaign seeks to help manufacturers understand that there is a risk to their operations regardless of their size. Given the growth of digital engineering and the increased sharing of digital assets among the supply chain, securing these small businesses is critical.
Once we’re raised their awareness (and maybe scared them a little in the process), MxD and its partners have identified the tools and services they need to secure their operations. One pathway to providing this is our upcoming Cybersecurity Marketplace, which provides low-cost cybersecurity self-assessments that are easy to understand for the average IT user. Based on the outcome of your assessment, the marketplace will recommend tools and services to help you close your gaps and secure your operations.
Finally, to help improve your workforce, MxD Learn is launching a series of instructor-led courses, such as the CyMOT (Cybersecurity for Manufacturing OT) program developed in partnership with UMBC (University of Maryland at Baltimore County). For those who need more flexibility, self-led courses are also under development.
Small and medium-sized manufacturers represent over 98% of US manufacturing companies but often lack the resources to properly secure their operations. This is especially concerning for the 75% of all US manufacturers that have fewer than 20 employees. MxD’s programs target these manufacturers for the greatest potential impact.
John: Several large manufacturers are taking that step back to reassess both their IT security, in part as a result of needing to add in the OT element. The approach that we have seen work has several steps:
Create a joint team of IT and OT leaders to define the “strategy” and clarify objectives. This includes a clear definition of the greatest risks to the organization and the potential financial impact. This requires a team with IT and OT resources. It also requires that the team be creative in defining the possible threats and impacts.
Leverage a framework such as NIST, CIS Top 20, IEC 62443, etc. to provide prescriptive guidance on maturity levels and specific measurable objectives
Assess the environment against that standard and prioritize risks and threats to the organization’s systems. Again, it is critical that the joint team identified in step 1 is involved as the risks in OT may be challenging to address with traditional operating processes
Create a roadmap of initiatives that is not reactive, but allows for foundational elements that can then add additional layers of protection against those key areas from the assessment. This is a marathon, not a sprint. By thinking ahead, the tools, technologies, processes, training, etc. that are put in place will not conflict or complicate, but instead will form an integrated platform or fabric that gets stronger and more efficient over time.
We have seen many large manufacturers in pharma, consumer goods, etc. as well as utilities take this approach and see significant improvement in efficient security.