Last year, cyber threats were named the fourth most common concern among CEOs. Today, they go right after the pandemic and health crisis. The reason behind this is OT and IT convergence as a prerequisite of going digital. Building remote monitoring infrastructure through the IoT and digital twin technology implies exposing physical facilities to IT networks. Vulnerabilities are inevitable in this scenario, as most OTs were simply not designed with Internet security in mind.

Here we will investigate what to focus on while getting prepared for the worst and what measures will prevent loss of business due to cyber attacks.

cybersecurity for business

Securing people as the first frontline

Eighty-four  percent of respondents from the utility industry believe that the most common cause of cyberattacks is employees’ actions. With this in mind, it’s advisable to build a culture of internal monitoring and focus on preventive measures.

Invest in education and employee training

  • Send weekly employee newsletter with clear instructions on cybersecurity, reminding about the risks and action protocols.
  • Organize regular educational sessions on cyber policy and procedures. Such things as “never share your log-in credentials with anyone” or “do not leave any internet devices unsupervised” must be emphasized, along with explanations of what the consequences can be.
  • Make sure your employees are resistant to phishing by sending reminders and showing examples of such emails. It’s especially relevant for payroll staff during the winter holidays.
  • Run emergency training. Check how your executives and employees act during a simulated data breach, find their weaknesses, and focus on them during the next educational sessions.

These actions will ensure security stays at the forefront of your employees’ minds.

Ensure strict access control

  • Create clear protocols and frameworks for data access based on the principle of least privilege. Ensure employees’ access is exactly what they need to carry out their direct responsibilities, no more, no less. Once their access time expires, make sure their session terminates automatically.
  • Apply UEBA (user and event behavioral analytics). It’s a technology based on statistics and machine learning which determines “usual” behavioral patterns for everyone who deals with the system. Once there’s an anomaly like access from an unknown device or location, the algorithm sends an alert signalizing there might be a data breach.
  • Implement multi-factor authentication. Passwords can be easily hacked, shared with other people, so they can’t be the ultimate means of protection. Leverage confirmation calls or messages with one-time codes, biometric authentication, or passphrases.

Managing processes and security governance  

If people are a random factor that needs to be organized, measurability and predictability are elements that should underlie any business process. To avoid cyber – attacks, we recommend taking] the following actions:

Create separate security guidelines for IT and OT

It’s vital to set security priorities based on the specifics of your organization and processes. For instance, IT security requires a system to be automatically reset in case of unauthorized access. But it may be unacceptable for OT security reasons, as it causes inconveniences to employees who are using connected devices.

Develop a flexible yet consistent management system

It’s advisable to create a single source of verified data, including each employee’s duties and prescribed security frameworks along with potential penalties. Appoint managers who will check compliance with this documentation and ensure they stay on top of all processes concerning security.

Build security governance

Analyze threats and vulnerabilities and build security governance activities around them. Develop ERM (enterprise risk management) policies and assign concrete actions for both staff and executives to protect the organization’s digital assets. Such questions as “What is security governance?” or “What is its value?” from employees are the first sign you should go back to the first step and invest in education.

Hire a professional security team

When it comes to security, shared responsibility between IT and OT teams is not viable. While putting a qualified chief security officer in charge of cyber, physical, and supply chain security is a decision 50 percent of organizations are likely to take by 2025.

Carefully manage third parties

Ensure the vendor you’ve partnered up with has a strict security policy that matches your requirements. First, it must be a company of tech professionals with proven expertise in protecting their in-house data. Second, they must legally confirm they take responsibility for the safety of the data you grant them access to.

Protecting data at the organizational level

The data we are talking about is not only IT data but also operational and personal. In this context, cybersecurity for business should be based on the CIA triad:

  1. Confidentiality (access to information for authorized parties only)
  2. Integrity (no data modifications during its upload, transition, and storage)
  3. Availability (authorized users can easily access all data  when there is a need)

To give secure access to authorized users, implement the following:

Keep systems up-to-date

Regular automatic updates of security patches without interrupting OT. The industry dictates its rules: unlike IT companies, you can’t simply shut down a system to restart it and install the updates, as operations are constantly in progress.

There must be redundant counterparts for essential system components that can go offline for updates while the system stays active, which is crucial for business continuity. Cyber attacks can often be prevented with just one timely update, so don’t ignore security alerts.

Implement IDS/IPS

IDS/IPS (Intrusion Detection System/Intrusion Prevention System) analyses suspicious network activities and blocks malicious requests or compromised IPs. IDS instantly sends alerts to security teams and enables them to quickly respond to a potential threat and activate risk management protocols.

Leverage IP and application whitelisting

Instead of trying to protect your system from any potential unauthorized access, there’s an option to create a list of trusted IP addresses and apps. It’s especially relevant in quarantine times, as whitelisting helps to secure remote access by adding BYOD (bring your own device) functionality.

Closing thoughts

Implementing a multi-level approach to IT and OT convergence is the key to effective information security governance and risk management. Focus on identifying your vulnerabilities and consider them while building a digital strategy. The best decision is to hire dedicated professionals responsible for security who won’t let cyber threats stand in your way while scaling the business.