Cultivating a strong cybersecurity mindset throughout your digital enterprise

March 15, 2019

Cybersecurity question: Have you ever had your bank account hacked? It’s painful. The financial breach is unsettling enough but thinks about the intangible invasion of your privacy, your personal identity. Not to mention the logistical process of recovering from the breach. My own parents have been hacked not once — but twice.

We hear the message about cyber risk loud and clear in our personal lives, and most of us now take ardent steps to stave off hackers at every turn. But what about a cybersecurity mindset at work? Take it from someone like me in the cyber trenches every day:

Everyone at a digital enterprise must be as vigilant against cybers risks at work as they are at home.

There are what we call cyber “endpoints” everywhere: your BYOD phone or tablet, your laptop, connected UPSs, smart panels, IoT-enabled devices at the edge, and the list goes on. Each of these endpoints can let in cyber germs or malware. It’s our individual responsibility to learn and practice good cyber hygiene — constantly — to keep them out. The shared goal here is to enable and empower a thriving digital enterprise, as the benefits of being connected far outweigh staying in the pre-digital dark ages. These include better energy management, more productive industrial operations, transformed customer experiences, and profitable digital business models.

Resilience at the convergence of IT/OT

For manufacturing enterprises facing digital transformation, this call to action must become a continuous mantra across your company, from shop floor to top floor. Consider industrial safety protocols: there are many zones no one would even think about entering without a hard hat. For cyber safety and security, your mindset is your hard hat. And you must wear it all the time.

Why is this culture of cyber hygiene so important?

As the operational technology (OT) layer of industrial companies becomes more and more connected, the IT layer is fast becoming the pathway for intrusions upon this critical OT layer.

Prior to the widespread IT/OT convergence, most companies depended on the fact that OT more or less was obscured by proprietary standards and hard-wired connectivity. The industrial Internet of Things (IIoT) has ushered in a much greater attack surface over more open networks. Every endpoint at our fingertips is a possible path for hackers. Did you hear, for example, about the casino whose high-roller database hacked through a smart thermostat in the lobby’s fish tank? Imagine the impact on industrial controls with one bad infiltration.

For manufacturers, uptime, productivity, and safety reign supreme. We need IT/OT convergence to enable just-in-time inventory, faster production, improved energy use, heightened safety. So how do we keep a simple breach on a production line from sending everyone scrambling like Lucy and Ethel trying to stay a step ahead of the chocolates? Or a complete, costly shutdown?

Driving home the cyber message

In a strong end-to-end cybersecurity strategy, people are everything. You can have the most secure systems in the industry, but having every employee think like a security engineer is just as important. I have three main points of advice for nurturing an always-on cyber mindset:

The earlier you start with a security mindset, the better. Investing in awareness and training is much less expensive than the cost of remediation, a damaged reputation, downtime. At Schneider, we provide employees with required and ongoing online security training and gaming challenges to keep security top of mind. We also share information externally through our Cybersecurity Virtual Academy. Our virtual academy provides value-added content and engages customers, prospects, and other interested groups in an ongoing dialogue about cybersecurity topics. We also offer cyber training services for industrial companies trying to close the risk gaps.
Security must be viewed from a global perspective. What one person does locally can affect everybody throughout your global network. Though the response may be a local or regional one, a global view is paramount to spot system anomalies (e.g., knowing who has access to which critical systems and machines, etc. and invest in identity access management security). According to Microsoft, known for its trusted cloud, about a third of employees open phishing emails.^[1] Just one bad email can be a nefarious gateway to your entire organization, so cultivate a company-wide culture strengthened by responsible cyber citizens.
In the cyber world, you can never over-communicate. Integrate this message in your internal communication channels to emphasize the cause and effect scenarios. Does anyone really want to be the person whose mindless opening of a phishing email brought down an entire company? Keep a steady beat of awareness in your ongoing internal communication channels. But doom and gloom is not the answer. The opportunities of digital transformation are endless, so empower your employees to support the journey securely, proudly owning their role as your company’s cyber citizens. Industrial companies already have a continuous communication strategy on safety (e.g., posters, training, briefs, and incident de-briefs, etc.), so we just need to add a focus on security as an essential element of safety strategy and protocols.

Boost your endpoint security

As Schneider’s Chief Digital Officer Hervé Coureil has said, “In a digital world, no company can become a castle.” A digital ecosystem has no perimeter. Prioritizing endpoint security across this ecosystem, including your global supply chain and partner network, is critical. And, as I emphasize time and time again, empower your people to be among your best lines of defense by teaching them how to think and act like security engineers. The health of your digital enterprise is worth it.

[1] “Building a Security Practice with Microsoft” presentation by Anne Johnson, Microsoft VP, Strategic, Enterprise & Cybersecurity

Tags: cybersecurity, IoT, IT, OT