Is your Mind Fit for Cyber Security? Business, Episode 2

Hello and welcome to our second session of “Is your mind fit for cybersecurity?” and a business flavor with my good friend Johannes Drooghaag, JD for short, and myself Neville Gaunt. We will launch straight into this element here about the future of cyber security because we speak about the challenges of cybersecurity for existing infrastructure, but so can you highlight where companies get it wrong. So I’m very much of a new business type of guy, I like the gadgets and gimmicks so I’m always out there getting after the new stuff, and have a tendency I must say of forgetting where we’ve come from. Is that the similar issue within the business context?

Yeah you see a similar issue when you look at manufacturing facilities, you see it at infrastructure. The best description I can give to this is that about 80% of the manufacturing capacity and the infrastructure we are using on a daily basis isn’t built in this century, and this century is about 20 years old so we are already 1/5th into the next century but we’re still using last century technology and on a large scale. Now I don’t say a hundred percent of the cyber security threats today didn’t exist last century but it was at least 99 percent that didn’t exist. So what then happened is that we do all kinds of fancy new stuff, we got data centers, we got clouds, we are bringing in IOT, but we’re not taking care of all the infield technology from a cyber security perspective. And then we get in most cases this thought that because something is behind the firewall or nothing happened so far, everything is fine. Now we’ve seen a bunch of examples recently. We got a Norwegian aluminum company (hello guys) who had to stop production for a couple of weeks and it was not just the fact that they had to stop production. It’s also the fact that they had no clue how to bring it back online. We’ve seen hospitals where something very very problematic happened. Nurses who have to do their job, and they have a tough job as it is, also have to take care of all kinds of reports and data, etc., etc, And their part of the infrastructure which in most cases are old PCs and old equipment, wasn’t up-to-date, they did their job and now they are blamed for causing a malware infection. That’s wrong! The people who should have taken care that that couldn’t happen made a mistake.

I really get a picture here. I mean but to me therefore this is a leadership issue, so what does leadership got to do to change that situation?

Well the first the first thing that must change is that we must stop thinking in those buckets that we see currently, right. We have the bucket IT and they do everything technical, we have in the manufacturing area, we have the bucket maintenance they take care of the machines. But in the machines are industrial control systems and “as long as the machine is running, why should we touch the industrial control system?”. But the maintenance responsible person has a tight budget so he basically spends their budget on prevention and reparations. That’s the way it works and a leadership level we need to take that to the next level and say “let’s take the cybersecurity away from the lifecycle of the Machine and start treating it as an actual asset that we need to protect with cybersecurity”. So we do appropriate lifecycles, we do appropriate refreshes, we do appropriate testing, we do appropriate risk evaluations of all those boxes involved and not just of the data center. And that needs to come again from the entire board because we need to get the CFO involved to get out to come up with smart budgets, we need to get the HR department involved because the people working with that technology also need training. They need to understand why it is important. We need of course the support from the IT department but we also need to think about something very interesting. Especially in manufacturing most IT

departments have an office job, let me put it like that and I don’t want to insult anyone by that, but most of them have a standard office job. But when we look in the factory it’s four shifts, five shifts so there’s work at night, there’s work on the weekends. We need to get the experts up and running and when needed even in the plants to be able to implement and monitor the cyber security, and take care of the necessary countermeasures and not have that separation between the production facility and the staff function of IT. That’s a mindset thing, and how do we change mindset? By leadership.

I’ve gotcha and you touch on a subject which is has been very dear to my heart throughout my career, about this silo mentality. We take money out of a particular budget, call it maintenance, and yet actually it’s not. We haven’t got enough money in maintenance because things have changed. New requirements have come in and the maintenance team have just been trained to do a particular job. So today they need to be trained to do something else and we just don’t have the funding. So this silo mentality really is a leadership issue and in some respects, you know just off the top of my head, it’s almost like you need, although it’s everyone’s responsibility about cyber security, you need to have like an overriding group that basically understands the business, understands the external impacts of what’s going on. Almost right down to the nitty gritty type of level but then have the management power, that leadership part you talk about very eloquently, to go and actually do something about it. Because it could actually be really detrimental to the business if you waste time not implementing something that you should be implementing there. But that all appears somewhat within the grasp of a large organization. What about a smaller organization? They’re going to see all the same sort of difficulties and they don’t really have this silo mentality per se because it all ends up in a pot, that’s what I’ve seen, and I’m talking about relatively small businesses here, but nonetheless their priorities are going to be quite stretched because they’re looking at return on investment. So can you of give an example of what how this might be implemented or idealized in a smaller organization?

Well if you take, for example you would take a medical practice, you would have a medical specialist, you would have two, three people on staff. A small organization, quick decisions and they do have some equipment. They have the printer, they have in the computer system where they make all the appointments but they also have for example that x-ray device or that that ultrasonic device. Computers aren’t hooked up to that, and we need as first step, we need to understand and create the awareness that that is IT equipment and that is risk. It’s a risk because if somebody would hack it or somebody will damage it you cannot use the equipment. But it’s also a risk because you have patient information, you have privacy issues. Lots and lots of issues and GDPR for example within the European Union doesn’t care if you’re a big company or a small company. It just looks at your revenue and gives you a penalty. And “I didn’t know” it’s not part of the GDPR because GDPR applies to everybody so you’re supposed to know. So what they can do is make a more realistic view of their surrounding including technology and say okay that might be example given the x-ray device but in reality it’s an x-ray device plus a computer system. Now the x-ray device I still want 10 years because I’ve paid a lot of money for that, and maybe I’m even still paying on the leasing for that. I have 10 years remaining for my ROI or it could even be that you’ve reached ROI but your equipment is still working perfectly, why throw it away? But isolate that technology, that IT technology and start treating it as IT technology with a potential threat which you must keep up-to-date. Now then you can have a different perspective and just call your supplier and say “what is your cybersecurity plan because I am paying you for example a maintenance fee or a service fee and what are you going to do to make sure that my praxis has a proper cybersecurity policy in place”. The next thing they can do is, the large organizations will get large service providers in in place with large budgets and large costs, the smaller companies can look at those cyber security experts who are actually specialized in the small and medium businesses, and have an offering just for them. And all this will help them get a better picture of the risk they’re taking and not just the machine is working or not but also solutions that actually match their portfolio and their requirements. But the first step is make a good picture of what you actually have as technology and make a good picture of what you’re actually having as risk. And if you don’t know how to do it, in the example of the medical practice I love to use this example “when I’m sick I go to the doctor so if you don’t know how to do this yourself get an expert.

They can tell you and all of this is great great advice because you’re already giving them recommendations. You know small businesses I find often saying we haven’t got the money but in actual fact in this particular arena the purchasing power that they have with their supplier is, it’s actually they’re not transferring the risk but your partnership with a risk. So you are reliant upon their expertise a lot. I know a lot of large businesses don’t think this way but a lot of small businesses definitely don’t think this way, that they can go back to the supplier and say come do a complete risk assessment. Particularly in the medical example you give about patient records. You know in the UK we’ve got the NHS and patient records are absolutely paramount. No one goes there hence nothing gets done because it’s this red mist that comes over people’s eyes. They can’t do this and they can’t do that, rather than thinking how can we do something and that’s that as you say, that’s the leadership mind fit way. So that’s, you know, that it’s pretty much simple stuff to you and I but of course if you’re faced with this on a day-to-day basis it can be a little bit daunting. If you just, if we can sum up this section, you got some fantastic recommendations in the first section. If you can give some recommendations as to where they go on their next step that’d be a great help to everybody.

Well I can, and I’m now making advertisement for myself, I recommend everybody if you are in a leadership role in a large organization or you are running a small company, even if you are supporting somebody who’s running a small company, start with a manifesto you can find on my website. I will put the link in this video ( Back to the future cybersecurity, a 10-point manifesto just listing ten very practical points with how you can take responsibility, what you need to look at. It looks at how you need to think about your budget, how you need to think about the risk compared to your budget. Right. You can save cost but then take a risk which you might not survive, and it takes you in ten simple steps to a roadmap of how to handle that. The second thing that everybody needs to keep in mind is hackers do not go after the highly protected highly defensed technology. They go for the weak links and from the weak link they escalate the access to whatever it is that they actually want. So when you have a very fancy new computer system with all the latest greatest insecurity on board and you also have that, let’s take for example the smart refrigerator which is using the password 12345 which is connected to your router or your network or your even your Wi-Fi access point, that’s your weakest link. So focus on the weakest link, keep the strong part up and running but start addressing the weakest links in your cyber security. That’s where the problems start

Brilliant and I’ve seen that download. It’s a download, it’s available on JD site. It is, you know, it’s a starting plan for you to start asking you and your organization the right questions. But like anything else this is not about IT this is about leadership in your organization and all of your senior management junior management and all of your employees are responsible for your cyber security. So we’re going to leave it on that note. It’s only end of session 2, we’re going to come back to session three on a later date. Thanks very much JD, fantastic advice to be giving to small businesses and large businesses and we look forward to seeing you on “is your mind fit for cyber security?” business version next time.